Security News > 2020 > June > Privnotes.com Is Phishing Bitcoin from Users of Private Messaging Service Privnote.com
For the past year, a site called Privnotes.com has been impersonating Privnote.com, a legitimate, free service that offers private, encrypted messages which self-destruct automatically after they are read. Until recently, I couldn't quite work out what Privnotes was up to, but today it became crystal clear: Any messages containing bitcoin addresses will be automatically altered to include a different bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same.
KrebsOnSecurity has learned that the phishing site Privnotes.com uses some kind of automated script that scours messages for bitcoin addresses, and replaces any bitcoin addresses found with its own bitcoin address.
Several other tests confirmed that the bitcoin modifying script does not seem to change message contents if the sender and receiver's IP addresses are the same, or if one composes multiple notes with the same bitcoin address in it.
Allison Nixon, the security expert who helped me with this testing, said the script also only seems to replace the first instance of a bitcoin address if it's repeated within a message, and the site stops replacing a wallet address if it is sent repeatedly over multiple messages.
"And because of the design of the site, the sender won't be able to view the message because it self destructs after one open, and the type of people using privnote aren't the type of people who are going to send that bitcoin wallet any other way for verification purposes," said Nixon, who is chief research officer at Unit 221B. "It's a pretty smart scam."