Possible link scam? soylent.nu top result on google instead of soylent.me


#1

A post over on the subreddit found that the current top result when googling soylent is soylent.nu, instead of soylent.me.

If it was a simple redirect, nbd, but apparently the site is serving soylent.me in a frame, which could be used to hijack user information. No other questionable behavior has been seen just yet.

@rob, @JulioMiles, is this an official Soylent site?

Thanks!

UPDATE: Official reply below. TL;DR: domains were set up as place holders by a discourse member hoping to help in establishing international markets, but otherwise no malicious intent meant. Google report submitted and redirects have been established.


#2

Here’s a link to the who.is information. Since it’s coming from Papendrecht (?!) in the Netherlands, it’s probably fraudulent. Good catch. We should report this…


#3

When you now hit it, it’s now doing a 301 (moved permanantly) redirect to the real soylent.me site.
The redirect is being done via HTTP, not DNS. The HTTP server putting up the redirect response is running a Debian flavored apache, version 2.2.16.


#4

@rob, @JulioMiles, is this a large potential issue if soylent.nu isn’t yours. They were opening your soylent.me site in a frame. That means anyone who used the soylent.nu site to log in probably had their username and password captured and maybe even personal info if they used soylent.nu to sign up or make an order. The nu site was using a non-secured connection, so info could have been sent in Plain Text and readable by the owners of the site (I don’t currently have access to an https web site to test/verify this).

As j​8048188 says, the site now redirects to your site instead of using a frame. So that means the person who set it up is probably registered here or Reddit and found out they were caught.

You should be able to tell how much the soylent.nu site was used and what pages were framed by your web log files showing access from soylent.nu’s IP Address 81.4.97.217.

You should notify Google about a malware/phishing/fake site to get it removed from search results and send the registrar (beheer@metaregistrar.nl) a take down notice. You should probably also email people and tell them that if they used soylent.nu, they should change their password and if your log file shows access from 81.4.97.217 to ordering pages, that users should watch their credit for fraudulent charges.

Let me stress that while the law says you need to notify people of this issue when you are hacked and/or have data stolen from your site, it would be prudent to notify people about this issue anyways to protect your image.

You can prevent this fro happening again by editing your web sites config file or adding a .htaccess file in your root directory with:
(block all frames):
Header append X-FRAME-OPTIONS "DENY"
or
(page can only be displayed in a frame on the same origin as the page itself)
Header append X-FRAME-OPTIONS “SAMEORIGIN”


#5

Julio emailed me. They have been in touch with the soylent.nu owner and got the redirect set up. Julio says while it was “sketchy”, they have no reason to believe that there was any sort of security compromise.


#6

Thanks for the update. I am still concerned about the redirect being served by an Apache web server, as they can change what that server puts up at any time.
(To clarify*: If a web server is doing the redirect, that means that they can set the server to do anything else whenever they want, serving up malicious pages or other bad redirects.)
The thing that would alleviate most security concerns would to be redirecting the DNS itself to point to soylent.me, instead of having a web server in the middle to issue the redirect.
(I do this stuff for a living, so I’m extra security-conscious.)
*edited for clarity


#7

I agree but wish to clarify that the concern is that a web server is doing the redirect. Apache, IIS, what have you all can cause the same issues. So singling out one web server daemon, like Apache, can be misleading for what you are trying to communicate.

Also, +1 on the web config for soylent.me being updated to prevent this per sal9000’s post above.


#8

I agree. I used to do this for a living - got laid off due to sequestration overhead budget cuts (I was a backend web admin for 15 years) :frowning:

We had this happen upon occasion to our web sites. At that time I used meta tags or javascript to break the frames and force a reload of our site in a direct method. Images had to be blocked so people couldn’t steal bandwidth, and CGI perl scripts had to be edited to only allow the site to use them and not let other people steal content.

The ideal thing would be to issue a cease and desist order to the person running the site, notify his registrar of the deception, and notify Google about the issue to get the soylent.nu site removed from the Google search results. If I still had access to a SSL site I’d test exactly what could be captured by the framing (I know, I could set up a self-signed certificate site but I’m just burned out on web admin currently). You can configure the server (any server; apache, IIS, Coldfusion, Tomcat) to capture all GET/POST form fields in log files. That’s my primary concern.

EDIT: It’s only Google. Bing and DuckDuckGo return only soylent.me with no sign of soylent.nu.
EDIT 2: I wonder based on what I’ve read if the site was set up by someone actually involved in Soylent and they “thought it was a good idea”. I’ve had that happen too. Good intentions gone wrong.


#9

Hi everyone,

Thanks for being on top of this issue and submitting so much useful feedback. Here’s where we are now:

The operator of the sites (there are 8 in total) is a discourse member by the name of @SoylentStore (Sam Rohn). He had initially been interested in partnering with us to bring Soylent to international markets. The domains were setup merely as place holders and at this time we have no reason to believe any customer information was stolen or fraudulent charges were made.

Sam has been fully compliant with our requests to resolve the confusion arising from these new domains and has already redirected them to our official site, Soylent.me. We have submitted a report to Google, which should hopefully get the official site back on top shortly.

Again, thanks to everyone who helped out with this, we’re lucky to have such a talented group of supporters looking out for us.

John


#10

John,

Glad to hear, thanks for the update!