Author

Topic: Don't download any Electrum software if asked, if U r using versions below 3.3.3 (Read 200 times)

legendary
Activity: 1584
Merit: 1280
Heisenberg Design Services
I need to connect myself with the Piggy Maggiordomo tool at the earliest. Seems like I am always missing when someone quotes my post  Sad

That's probably because you use auto server selection and at that time got connected to a malicious server. You should not be able to use old version of Electrum older than 3.3.3 anymore as most server stop supporting them to prevent this phishing attack.
Yes, most of the time I use the auto server options so that I don't have the problem in connecting manually each time when I login. The phishing attack I am talking about was probably around a month back I guess. Most of the time, I would never disturb my offline wallet which has a little higher money. I would always have few satoshis for around $50-100 in an online wallet so that I can use them whenever I need to transact with btc.

What I don't really get here is, can't Electrum do something and emphasize on a process to verify such servers before even allowing those servers to work if we choose to Auto Connect in any version of Electrum?
If we are using SPV wallets, we are aware that we are trusting someone other than us with the money and compromising our privacy. SPV wallets just have block headers with them and they will depend on server to broadcast the transactions to other nodes, generate our wallet balances etc. If we do not want to be governed/dependant on other servers we should run our own node. We need to be aware that people running Electrum Servers can spy on us and can give away malicious links to us. Electrum can never involve in this as everything is working in a decentralized way here.

Isn't such vulnerability a crispy slap on their face that their software isn't even handled by them (for lower versions) and many already fell for this 4.0 and many other phishing issues going on nowadays.
It isn't a crispy slap, they are doing what they can by rejecting those servers but if new servers are hacked we need to be careful with it.

Come on, Bitcoin core and mycelium are also softwares but I never heard any such issues with them. I love Electrum and want to stick with it forever, but not at the cost of losing all my savings and money that I decide to keep there.
You are totally mistaking with a Full Node and a SPV wallet. Core is a full node, they don't want to be dependant on others to broadcast their transactions or view their updated balances. They have their very own version of blockchain stored locally. If we are so much concerned on privacy and security, switch on to a full node. There is no other way than this.

Here is a brief summary on why should each and every bitcoin user should run a Full Node : https://en.bitcoin.it/wiki/Full_node#Why_should_you_use_a_full_node_wallet

P.S I don't use full node since I can never maintain them or sync them each and everytime for such a huge blockchain like bitcoin, but I always speak in favour of a full node rather than trusting a SPV wallet
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
What I don't really get here is, can't Electrum do something and emphasize on a process to verify such servers before even allowing those servers to work if we choose to Auto Connect in any version of Electrum?I love Electrum and want to stick with it forever, but not at the cost of losing all my savings and money that I decide to keep there.

I think at this moment it is not possible to control the servers in a way you think, it is only possible to prevent them to show messages which can trick users to download fake wallets. It is very likely that in the future it will be similar or even more sophisticated attacks on Electrum users, just because of the fact that this wallet is used by very large number of people.

Electrum is very good crypto wallet, and it can be safe for using - but only for users who know what they are doing. If you have a significant amount of BTC maybe is time to invest $50 or $60 in hardware wallet, and you can use such wallet with Electrum as UI.
legendary
Activity: 3052
Merit: 1273
@Everyone,
Thanks for the comments, really helpful there.
I've edited and changed the title as well as a few things that were needed to be changed and some added.



I would always have all my wallet files in an offline laptop. I have used Electrum 3.3.2 but didn't encounter any issues like this except once before.

That's probably because you use auto server selection and at that time got connected to a malicious server. You should not be able to use old version of Electrum older than 3.3.3 anymore as most server stop supporting them to prevent this phishing attack.

What I don't really get here is, can't Electrum do something and emphasize on a process to verify such servers before even allowing those servers to work if we choose to Auto Connect in any version of Electrum? Isn't such vulnerability a crispy slap on their face that their software isn't even handled by them (for lower versions) and many already fell for this 4.0 and many other phishing issues going on nowadays. Come on, Bitcoin core and mycelium are also softwares but I never heard any such issues with them. I love Electrum and want to stick with it forever, but not at the cost of losing all my savings and money that I decide to keep there.
legendary
Activity: 2170
Merit: 1789
I would always have all my wallet files in an offline laptop. I have used Electrum 3.3.2 but didn't encounter any issues like this except once before.

That's probably because you use auto server selection and at that time got connected to a malicious server. You should not be able to use old version of Electrum older than 3.3.3 anymore as most server stop supporting them to prevent this phishing attack.
legendary
Activity: 1584
Merit: 1280
Heisenberg Design Services
I would always have all my wallet files in an offline laptop. I have used Electrum 3.3.2 but didn't encounter any issues like this except once before. Most of the times, I sign the transaction in my offline wallet and then transfer them to the online watch only wallet and broadcast the transactions.

Also whenever I download a newer version of the electrum from the site, apart from bookmarking the site I visit the site through some official links of electrum mentioned in the bitcoin.org website. I don't really trust even google with this, since most of the times I am getting redirected to the .to phishing website of the bitcointalk. Hence it would be better if we trust bitcoin.org website rather than trusting google or some other search engines.

Recently, most of the phishing sites are being masked as legit and are roaming around in the net and as Pamolder said it is always better to verify ThomasV signature (it is time consuming, but worth the time and your money).
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
Can our moderator put something like this (or this topic) on stickies, please.
So newbies will see the warning/issue right after going to this board and hopefully wont open another topic with repeated questions and answers.

@Stedsm The title's kinda off  Undecided
It sounds like Electrum is asking to download version below 3.3.3,
this sounds better: "Don't download any Electrum software if asked, if you're using versions below 3.3.3" or with same context.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
After that, just visit https://electrum.org (Electrum's official website) and go to "Download" and download their official latest version 3.3.4


As an additional security I would suggest you to suggest users to verify the download before installing. This way you know that you are about to install the authentic version. It's strongly recommended to follow this step even if you download it from their official website.

Here is a tutorial: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/ 
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
This has been an issue for several months now.  Of course it's always a good idea to keep people aware of the dangers of malware.  But, if I may make a suggestion:  Don't put links to malware sites in your post.  Someone might not read your post thoroughly and click on the link suspecting it'll take them to the official Electrum website.  If you want to bring awareness you can put the link in a "code" box, and mark it as a phishing site, like this:


Warning Phishing Site, do not click:
Code:
https://electrum.mx
legendary
Activity: 3052
Merit: 1273
I had version 3.3.2 till today and as I opened my Electrum wallet today only, while trying to send a transaction I noticed some arbitrary messages like "Your version is old and to broadcast your transaction, you need to upgrade your Electrum to V4.0

Visit https://electrum.mx* to download the software or click this link xxxxxxxxxxxxxv40.exe"

*WARNING BY ME: Do not click the link as I've mentioned it here just for information purposes, it may have malware that may harm/steal your data and also, please don't download anything from there.

This shows that version 3.3.2 and below are all vulnerable to phishing attacks as you can see a warning over Electrum website too. Just so you see that warning, no need to worry. You just click the "X" (close) button on the top right of that dialog box that appears.

After that, just visit https://electrum.org (Electrum's official website) and go to "Download" and download their official latest version 3.3.4
A better suggestion would be to just verify even at their official website before downloading anything, that would help.

Never, ever download from any websites / apps or even Electrum itself except their official website. Be safe.

Credits to all those who helped me and made me realize my mistakes, I've corrected them in this edit. Thanks.
Jump to: