Author

Topic: ⚠⚠️⚠~Beware on active phishing Electrum websites~⚠⚠️⚠ (Collection list updated) (Read 635 times)

hero member
Activity: 1330
Merit: 869
IOCs

Malicious Electrum wallet binaries

Code:
137e8925667ff75b1c516a97b5d2d3dd205f9302cdeb190fc68855aee2942c22
1900f4d0a13486f90ff5f82e02d210b8a9db27bca24b88f5de849ef124212f09
1ef6c9d9d3519769749498631532063967fc7d5e8f0fc75e8a3ff66f57dfab22
2747c4e43d2652f3ad039e0dc1bf28f5b136a9ac76a4f57320b08b5905e7c4cd
2cd180e61e36de1be904a02591485ef3321b539cdccca1fd7f1f001770652b14
307d97a38c6bf21903057eec48c4d3957e10c0097fe05d5a203101d22cd79cc3
3610c86975ed943b5065bdc65bfcb4035e58a863cd3192865401bc6a70b023ba
367b620a0a332f693a68230bf21f7036983b7b9e0dee946af5338ed168c16318
36c3140d73fbfb5710438d7c218013bf6fb8736a98dfe002b0d711fbb39aad41
41ff4f112d0a8c4bb20a49f7beb5f36c28455a9cebafa8db75277f54f597d6d4
57f6ef3ea9e497592bdbe9dda201105e0faea8f6668b5701b6b91fbc9e94cd43
634287c65f018e71ed7bebfb5b21e33bcedf08139e3d924178b4cdfaa12d8b34
74c2dcf751796cd209755b4e828b6686b2fb38587163b1cbff1295da2d3f0a8c
87aa1fdf00db2ed94464c2687a0e1011a80af576267c0f88d1216c0cb4d2e310
9a5b1ffbeb562d772dfa2d49e59e0f72557f6111a5e24d6498f88b77a5d8f10a
a080444918844e27ff2079b71f20ebd2d1f1836907c854671daa3548dc809e7c
b20778f69cc959a16c612e75d21a3668aab11f47f2659c3175da5bd80665e225
c48b7ba2531e4954881388aceb00a2ec36488f1cf70eeb873a97b7cfa32362cb
c5afedd8a03d2f49e25fb2c568ede20b0e43a4eeebebd202c98324ead9b82732
df154484a90321407c0e8115df7bf6f598adb6a50255cc58b723db7cc5d3729f
e8ef9cbeec7cdc7f58e28274c417457c5c8dcf47f4e8409cb2befe9450d3868b
f736c8fa4a21755020ecfce60a53d0a1cfdaa7061fd7be6efd49d74af9b13e02

Fake domains​
Code:
btc-electrum[.]com
btcelectrum[.]org
downloadelectrum[.]com
downloadelectrum[.]org
eiectrum[.]net
electrum[.]bz
electrumapp[.]org
electrumapps[.]com
electrumbase[.]com
electrumbase[.]net
electrumbase[.]org
electrumbitcoin[.]org
electrumbtc[.]org
electrumbuild[.]com
electrumcircle[.]com
electrumclient[.]org
electrumcore[.]com
electrumcore[.]net
electrumdownload[.]com
electrumdownload[.]org
electrume[.]com
electrume[.]org
electrumfix[.]com
electrumget[.]com
electrumget[.]com
electrumhub[.]com
electrumnet[.]com
electrumofficial[.]com
electrumopen[.]org
electrumpgrade[.]com
electrumsafe[.]org
electrumsite[.]com
electrumsource[.]org
electrumstart[.]org
electrumtxn[.]com
electrumupdate[.]com
electrumupgrade[.]com
electrumupgrade[.]org
electrumware[.]com
electrumware[.]org
electrumweb[.]net
getelectrum[.]com
getelectrum[.]live
getelectrum[.]org
goelectrum[.]com
myelectrum[.]org

Attacker Bitcoin addresses
Code:
bc1qhsrl6ywvwx44zycz2tylpexza4xvtqkv6d903q
bc1q92md7868uun8vplp9te0vaecmxyc5rrphdyvxg
bc1q7hsnpd794pap2hd3htn8hszdfk5hzgsj5md9lz
bc1ql0p2lrnnxkxnw52phyq8tjr7elsqtnncad6mfv
bc1qyjkcthq9whn3e8h9dd26gjr9kd8pxmqdgvajwv
bc1q9h36cyfnqcxjeuw629kwmnp5a7k5pky8l2kzww
bc1qvr93mxj5ep58wlchdducthe89hcmk3a4uqpw3c
bc1qcla39fm0q8ka8th8ttpq0yxla30r430m4hgu3x
14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5
3CrC4UitJqNqdkXY5XbJfCaGnbxHkKNqzL
31rTt8GePHv8LceXnujWqerUd81U29m857
1FmxAHft8trWjhRNvDsbjD8JNoSzDX8pfD

Fraudulent/malicious digital certificates (Windows only)
Code:
Name: PRO SOFTS

Serial Number: 15 8F D7 D2 FB 6E 69 E7 75 AB EE 6E
Name: EIZ Ltd

Serial Number: 06 6A F7 6B 79 4F 63 79 3C C0 CA 33 78 6F 07 47

RIG EK payload
Code:
9296b210b782faecca8394b2bd7bf720ffa5c122b83c4ed462ba25d3e1b8ce9a

transactionservices.exe (Electrum wallet)
Code:
c3a7cf30428689a44328090b994ce593bbf2a68141fcbefb899dee4fec336198

IPs (Electrum wallet host and configs)
Code:
178.159.37[.]113  
194.63.143[.]226  
217.147.169[.]179
188.214.135[.]174

https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/

==

Phishing with Unicode



https://twitter.com/ElectrumWallet/status/1144678604523147265?s=20
HCP
legendary
Activity: 2086
Merit: 4361
So... some positive news... I received this email overnight Smiley

Domain Registrars usually take abuse claims relatively seriously... especially in the case of malware and phishing. It's worth reporting!

Quote
Namecheap Legal & Abuse Team <[email protected]>
15 May 2019, 22:46
to me

Hello,

This is to inform you that the electrum[ . ]mx domain was suspended. It has been placed on the clientHold status and locked to prevent modifications in our system.

Thank you for letting us know about the issue.
-----------------------
Regards,
Nikita O.
Legal & Abuse Department
Namecheap.com
legendary
Activity: 2730
Merit: 7065
To expend on what HCP said in his post earlier. There were a few threads opened yesterday on the forum, probably from hacked accounts, that were shilling a fake message that Electrum was updated to version 3.3.6. There is no version 3.3.6 so be careful if you see such threads. It leads to a fake wallet hosted on the address that HCP posted in his post.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
I see they added a link to the latest Electrum update at the bottom of the wallet, when you open it. People should not simply click on that link, without double checking the URL that it is pointing too. We saw how "default" servers with exploits have been added in the client in previous versions, so it is not unlikely that hackers might edit that Url and replace it with a phishing site.  Angry

I download all "updates" from the official site or Github repository, so I ignore prompts like that.  Wink
HCP
legendary
Activity: 2086
Merit: 4361
A couple of others to add to your list...
Code:
elecfrum.org
electrum.mx

The first was being shilled on the boards yesterday... the later is an old fake website that seems to have resurfaced.
legendary
Activity: 2758
Merit: 6830
Make sure to always report them with these links:

We can report them here: https://support.google.com/google-ads/troubleshooter/4578507
And here: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

This will remove them from showing up on Google ads.

They will be blocked on Chrome and Firefox.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Baofeng, that site is already reported in Electrum board, and it is blocked in some browsers (Firefox, Brave), and Malwarebytes is also block access to that site.

Code:
http://electrumsecuredownload.com
 
This one is still available in some browsers, but I hope that it will be blocked soon. Just use link to report such sites to Google (link in my previous post), and they will remove them from search results.
legendary
Activity: 2576
Merit: 1655
legendary
Activity: 2058
Merit: 1030
I'm looking for free spin.
Update:

I added these 2 alive phishing Electrum websites.

Code:
electrumcircle.com
l-electrum.org

I'll add more once I found new Electrum  phishing websites.

Anyone can help me find fake Electrum sites just make sure it is alive website.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
~snip~
In fact, it is not difficult to edit host file, but some users will certainly have problems with such things. This only solves the problem of the existing phishing sites, and the much bigger problem are new or undetected sites which appear every day.

Internet users use search engines, this is an indisputable fact - and so will be in the future. It's important when we make sure that the address of a site is correct, to add that site to our browser bookmarks and use that link to access site every time. Antivirus and adblockers are not 100% safe way of protecting, but in my personal experience in most cases they do their job well.

Yesterday I report first and last phishing site from the list to Google Safe Browsing, today both sites are blocked by Malwarebytes as phishing sites. It seems the majority of security software and browsers using Google data for phishing sites, so it is important to report such sites as soon as possible, and they will be blocked in one way or another.
legendary
Activity: 2576
Merit: 1655
Will you consider this one?



Obviously, there is a Github repo link which I think is another way to phished specially noob's.

Code:
http://docs.electrum.org/en/latest/



Off-topic. Glad to see someone who uses scrapebox.  Grin. I'm been using it way back 2010-2011 when I was doing a lot of social media marketing back then. And I was amaze that it has a lot of updates, totally lose my mind seeing lots of options now.  Grin
hero member
Activity: 2646
Merit: 686
People also need to be aware that older versions of Electrum's software has been hijacked by hackers now which will block your attempt to send BTC and fool you on trying to install a "newer" vesrion of Electrum which is also fake as its just a phishing software trying to steal your seeds and private keys. Electrum hacks are almost everywhere as its a popular desktop wallet and I think Electrum should keep up on their monitoring to avoid potential losses from their clients.

Hey this reminds me of the hack which happened in Electrum wallet a while ago, where people were asked to update it from the wallet itself. I feel this thread contains valuable information as large number of people including me use Electrum wallet for storing and transacting bitcoins. Also I feel one should use Electrum app on mobile to be on a safe side, as all issues seem to be on the desktop version so far.
legendary
Activity: 2268
Merit: 18748
Although the idea of blocking such sites in users host file is not bad, for most users it still represents a challenge. What we need to do is report such sites as phishing to Google. In this way such sites will be blocked for every user, even those who are not aware of the problem will be protected.
On Firefox you can also access this link (with the URL pre-populated by the page you are visiting from) by click on Help -> Report deceptive site. I've tried to make the instructions to edit the hosts file as simple as possible - you literally just locate the file in the directories I have listed, open it with a text editor, paste the code at the bottom, and save it. Most users should be able to manage that.


It is also important to use adblocks for browsers, since most users use search engines to find Electrum site, and bad ones usually pops up at the top of the search list. The last line of defense is antivirus software which should be updated, and good AV will analyze any downloaded file and prevent the user from installing bad software.
You shouldn't be using a search engine to find sites like electrum, myetherwallet, binanace, this forum, etc. It is much safer to manually type in the URL. Ad-blockers and antivirus are a must (in addition to extensions like HTTPS Everywhere and Privacy Badger), but you can't rely on these to protect you 100%.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I check all sites from the list, the result is the following : First and last site from the list are loaded quite normal (no blocking from adblock, av or other security software), and other sites are blocked by my browser (Firefox) as Deceptive site ahead with the following warning :

Quote
electrumclient.org has been reported as a deceptive site. You can report a detection problem or ignore the risk and go to this unsafe site. Learn more about deceptive sites and phishing at www.antiphishing.org. Learn more about Firefox’s Phishing and Malware Protection at support.mozilla.org.



Although the idea of blocking such sites in users host file is not bad, for most users it still represents a challenge. What we need to do is report such sites as phishing to Google. In this way such sites will be blocked for every user, even those who are not aware of the problem will be protected.

It is also important to use adblocks for browsers, since most users use search engines to find Electrum site, and bad ones usually pops up at the top of the search list. The last line of defense is antivirus software which should be updated, and good AV will analyze any downloaded file and prevent the user from installing bad software.
hero member
Activity: 1806
Merit: 672
People also need to be aware that older versions of Electrum's software has been hijacked by hackers now which will block your attempt to send BTC and fool you on trying to install a "newer" vesrion of Electrum which is also fake as its just a phishing software trying to steal your seeds and private keys. Electrum hacks are almost everywhere as its a popular desktop wallet and I think Electrum should keep up on their monitoring to avoid potential losses from their clients.
legendary
Activity: 2702
Merit: 4002
Good work, thanks for the warning but such lists will not be useful because scammers are ahead of you in a step "Create more phishing sites."
All official electrum wallet releases are signed by ThomasV so it is better to modify this subject to be how to check signatures to avoid phishing Electrum websites/links.
So before you download a wallet, check your wallet signature "import ThomasV.asc public key and verify other signatures".

Note that:

Windows builds are reproducible, and signed by several developers. See the list here

Add this to your list

Code:
www[.]electrumbuild[.]org
www[.]electrumupgrade[.]org
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
I also noticed something weird, when I accessed my wallet over the weekend. The option to automatically chose the server are being disabled by default. A possible fake server was selected by default and it did not want to connect to it. I enabled the "auto" selection again and it connected to the legit server.  Roll Eyes

I updated to the latest version of the software, but I think they found some workaround to manipulate the server selection.   Wink
hero member
Activity: 2842
Merit: 772
Since everyone here uses different OS, I will quote this here:

Another one to be added to your hosts files then.

On Windows, navigate to "C:\Windows\System32\Drivers\etc\", and open the hosts file in a text editor.
On Mac, navigate to "/private/etc/", and open the hosts file in a text editor.
On Linux, open terminal and write "sudo nano /etc/hosts"


Then add the following line quoted by you below.

Code:
127.0.0.1       electrum.org.uk
127.0.0.1       electrumclient.org
127.0.0.1       downloadelectrum.org
127.0.0.1       electrumsite.com
127.0.0.1       electrumweb.net
127.0.0.1       electrumupdate.com
127.0.0.1       electrumproject.org

The original post can be found here: https://bitcointalksearch.org/topic/another-phishing-site-5126419
legendary
Activity: 2058
Merit: 1030
I'm looking for free spin.
Great share.

Please add the following to the list
Code:
http://elektrum.org
Source: https://bitcointalksearch.org/topic/m.50330965

Thanks Smiley

Thanks for your help but the link you put is not the correct URL and the site seems a blog.

The correct one according to the linked thread is
Code:
elecktrum.org

It seems the site is no longer active. What I want is active Electrum phishing sites.
full member
Activity: 168
Merit: 214
WhoTookMyCrypto.com
Great share.

Please add the following to the list
Code:
http://elecktrum.org

Source: https://bitcointalksearch.org/topic/m.50330965

Also, since such lists quickly get outdated if not maintained, users may want to check against this site too: https://etherscamdb.info

Stay safe.

Edit: updated for the comment below. Yes, typo was made.
legendary
Activity: 2058
Merit: 1030
I'm looking for free spin.
I just want people here to be aware on phishing fake Electrum websites that is why I created this thread to people who doesn't know if what are phishing site is.

Electrum announce that lower version of electrum is no longer connected to the servers because it's under attack with fake/phishing URL link if you click the pop up screen that asking to update the Electrum you will be redirect to a fake website that listed below.

Here is the sample of Electrum phishing site look like below.



If you found a fake electrum website please post it here or PM me I will add it here so that other forum members are aware on fake phishing site.

Here is my list of active fake electrum website that I found when scraping using scrapebox.

Code:
http://electrum.org.uk/
http://electrumclient.org/
http://downloadelectrum.org/
http://electrumsite.com/
http://electrumweb.net/
http://electrumupdate.com/
http://electrumproject.org
I put them into code so that they are not linked here on the forum.

To protect your self from these phishing sites you can edit your hosts and add this line below.

Code:
127.0.0.1       electrum.org.uk
127.0.0.1       electrumclient.org
127.0.0.1       downloadelectrum.org
127.0.0.1       electrumsite.com
127.0.0.1       electrumweb.net
127.0.0.1       electrumupdate.com
127.0.0.1       electrumproject.org

I'll put another list below for those who can help to hunt other active phishing sites including your username or I might be rewarded you with merit. Just make sure the site is active.

Updated 6/20/2019
Code:
electrumcircle.com Added by me
l-electrum.org Added by me

www[.]electrumbuild[.]org added by hugeblack
www[.]electrumupgrade[.]org added by hugeblack

electrum.bz added by Baofeng

electrumsecuredownload.com added by Lucius

elecfrum.org Added by HCP
electrum.mx Added by HCP

https://electrumus[dot]com/#home Added by Baofeng
Jump to: