Pages:
Author

Topic: Electrum Phishing (Read 454 times)

full member
Activity: 168
Merit: 214
WhoTookMyCrypto.com
March 10, 2019, 12:03:49 AM
#27
Hi All,

So I fell foul to the Electrum phishing scam (it had been awhile since i used it and I'm not on form atm,, don't say it  Cry ) and downloaded and installed "version 4.0.0", and to no surprise within a jiffy lost about £100 in btc (all that was in the wallet) when trying to send it.
I've come to terms with my stupidity now and have consigned that wallet to the grave. I have removed Electrum from my laptop (Add/Removed programs) and deleted all files with electrum in the name I can find to try and be sure. I've run a Bitdefender scan of the whole computer which has turned up nothing, but I still feel a little worried I might have left something nasty on my machine.
I'm also a bit nervous about installing and setting up a new Electrum wallet (from the correct .org site!) just because like anyone I don't want to chuck my money away.

Any advise would be welcome.

Thanks

Hey BugBasher82, we wrote about a method that could help you avoid such scams in the future.

https://bitcointalksearch.org/topic/guide-using-google-alerts-to-avoid-getting-scammed-5118417

Sorry for your lost and hope this helps you.
HCP
legendary
Activity: 2086
Merit: 4361
March 09, 2019, 05:25:25 AM
#26
why does "malware" keep coming up here? there is NO malware to be detected at least not in the alternate (fake) Electrums that i have seen so far.

Most likely because it is technically malware aka "malicious software"... as it does "Bad Things"™ that are not authorised/wanted by the user. It is software disguised to look like an Electrum wallet that sends out all your coins and/or your wallet seed/private keys/wallet file.


you can't detect this with an antivirus! if your AV detected this then it should have also warned you every time you opened your real electrum!
You'll note that is pretty much what I said...
It has been stated multiple times that antivirus/malware software are generally only good at detecting known threats that have identified signatures. There are certain things they cannot really protect you from... like a piece of software that contains "normal" functionality (ie. software sends/receives "data" over the internet) but abuse/use this functionality in a malicious manner (ie. software sends "wallet seed/private key" information over the internet).
legendary
Activity: 3472
Merit: 10611
March 08, 2019, 10:39:18 PM
#25
Given that your antivirus failed to actually inform you about the malware wallet in the first place,

why does "malware" keep coming up here? there is NO malware to be detected at least not in the alternate (fake) Electrums that i have seen so far. it is simply an addition of a couple of lines of code that spends your coins to a specific hardcoded address. that is not malware, that is simple wallet functionality like the functionality of the real wallet!
as soon as you enter your password, so that the fake wallet has access to the decrypted keys, it runs a simple code which looks like this:
Code:
TakeAllSpendableCoins();
CreateNewTransactionInBackground(SendTo(Hardcoded_Address_Of_Atacker));
Sign();
Broadcast();
you can't detect this with an antivirus! if your AV detected this then it should have also warned you every time you opened your real electrum!
legendary
Activity: 2002
Merit: 1051
ICO? Not even once.
March 08, 2019, 04:55:01 PM
#24
Let me be honest here, I was (gullible enough to get) hacked a couple of times over the years crypto became my hobby. I've dealt with well over 200 different wallets over the years and probably like 2 dozen different miner softwares (still have most of them) and it took a while before I started I got slapped with a dose of reality and losing many coins. Then I started using Sandboxie and quickly learned that it has to be used with custom settings (default settings are no good at all, that still have read rights of everything important, like wallet.dat or browser user data) and then moved over to using multiple separate PCs.

You always think it won't be you and when you do lose some coins you tighten up your security and given time you start to feel safer than you actually are as you drop your previous security routines. At least most people do.

As I, and many others have said before, antivirus software doesn't help at all. Malware can be sophisticated enough to fly under it (encryption) or disable it or have its payload trigger without it detecting it. Just don't ever fully trust them on an important machine. Just think about how many times you trusted something with "false positives". Great malware mostly doesn't even give false positives.


Anyway, I'm 90% sure the phising wallet had no persistent parts and that my PC was fine but after I safely moved my coins to an offline machine I reinstalled it completely. Why risk that 10%? It's not a 10% tax, it's 0 or 100%.
It's a hassle and it takes days to get everything back to the way it was and it is a pain in the ass to deal with many transactions through a separate machine, it sure beats even just having to worry about one day waking up being emptied.

And you can always store some coins in a hot wallet. Risk and reward, or in this case risk versus lack of annoyance. Don't be lazy people.
HCP
legendary
Activity: 2086
Merit: 4361
March 08, 2019, 04:16:39 PM
#23
I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left,
Given that your antivirus failed to actually inform you about the malware wallet in the first place, resulting in monetary loss, are you sure that your faith in your antivirus is correctly warranted? Huh

It has been stated multiple times that antivirus/malware software are generally only good at detecting known threats that have identified signatures. There are certain things they cannot really protect you from... like a piece of software that contains "normal" functionality (ie. software sends/receives "data" over the internet) but abuse/use this functionality in a malicious manner (ie. software sends "wallet seed/private key" information over the internet).

Chances are simply deleting the wallet will be "OK", as it seems like the malware wallet, in this instance, was only used to immediately send out a transaction emptying the wallet and/or sending the users seed to the attackers... it doesn't look like it installed any additional malware... BUT if you want to be completely certain the threat is gone... reformat your PC and reinstall the OS.
hero member
Activity: 3010
Merit: 794
March 08, 2019, 11:09:06 AM
#22
Removed it, did a malware scan and did a search for all the files that were created/last accessed in the last 20 minutes and I didn't find any new or suspicious files or any extra running processes or msconfig service/startup entries so now I'm wondering if it had any persistent elements to it as I don't think so but I'm curious about others. Did it also target other wallets?

Never heard yet that they are also targeted other wallets. If you want to make sure that your PC is safe, scan the whole PC with Malwarebytes and deep scan on kaspersky might find some suspicious activity in your PC. Also, I recommend you to use IObit advance uninstaller to fully remove all traces from your PC including Regedit before you install the legit Electrum wallet.
So far my other wallet are safe, I was able to do a successful transaction after I got phish with a small amount.
I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left, hopefully I'm be safe and I would regret if my funds will be stolen again since I don't follow other's suggestion to have my PC fresh.
Just take an observation but if things goes well then there's no need to re-install a fresh OS which it is really a very hassle thing to do when wiping out your 3rd party programs that are being
commonly used.
There are some files that cant really be removed nor detected by some AV thats why im a little bit paranoid when i do experienced malware attacks which i do always have the doubts.
newbie
Activity: 28
Merit: 2
March 08, 2019, 09:21:54 AM
#21
I would recommend format your HD and install a new Linux.
legendary
Activity: 2730
Merit: 7065
March 08, 2019, 04:17:55 AM
#20
I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left, hopefully I'm be safe and I would regret if my funds will be stolen again since I don't follow other's suggestion to have my PC fresh.
I wouldn't risk it if I were you. If you have a lot of assets worth protecting on that PC just reinstall it to be perfectly safe. If you had a fake software installed who knows what else it could have done to your system that your AV hasn't yet picked up! 
hero member
Activity: 2856
Merit: 667
March 07, 2019, 09:26:10 PM
#19
Removed it, did a malware scan and did a search for all the files that were created/last accessed in the last 20 minutes and I didn't find any new or suspicious files or any extra running processes or msconfig service/startup entries so now I'm wondering if it had any persistent elements to it as I don't think so but I'm curious about others. Did it also target other wallets?

Never heard yet that they are also targeted other wallets. If you want to make sure that your PC is safe, scan the whole PC with Malwarebytes and deep scan on kaspersky might find some suspicious activity in your PC. Also, I recommend you to use IObit advance uninstaller to fully remove all traces from your PC including Regedit before you install the legit Electrum wallet.
So far my other wallet are safe, I was able to do a successful transaction after I got phish with a small amount.
I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left, hopefully I'm be safe and I would regret if my funds will be stolen again since I don't follow other's suggestion to have my PC fresh.
legendary
Activity: 2002
Merit: 1051
ICO? Not even once.
March 07, 2019, 05:04:58 PM
#18
@DireWolfM14 Yep, the payload could be encrypted or otherwise hidden so scanners are never a 100% reliable, we know that. I got used to verifying my download sources but I've never seen an Electrum broadcast message so it took my guard down. And after seeing how many people got fooled by it, in many waves and since how long ago since the first, I'm feeling pretty annoyed with how the Electrum devteam is handling it.

I moved my funds to an offline computer and will be formating this PC.

It's just people tend to become lazy with security until they get caught. Didn't lose anything but easily could have. Anyway, thank your for your help.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
March 07, 2019, 04:49:27 PM
#17
I have a hard time trusting third party virus and malware removers when it comes to crypto wallets.  A scammer can take measures to mitigate the chances of their malware being found, or you could get false positives.

To be on the safe side, I would reinstall the OS.  That's likely overkill, but my financial security deserves overkill.

@OP and bathrobehero, learn to use PGP and verify the signature when you download Electrum.  It's a great desktop wallet, and is worth the extra security steps to make sure you're using it safely.  Otherwise, hardware wallets are a great alternative.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
March 07, 2019, 04:42:08 PM
#16
Removed it, did a malware scan and did a search for all the files that were created/last accessed in the last 20 minutes and I didn't find any new or suspicious files or any extra running processes or msconfig service/startup entries so now I'm wondering if it had any persistent elements to it as I don't think so but I'm curious about others. Did it also target other wallets?

Never heard yet that they are also targeted other wallets. If you want to make sure that your PC is safe, scan the whole PC with Malwarebytes and deep scan on kaspersky might find some suspicious activity in your PC. Also, I recommend you to use IObit advance uninstaller to fully remove all traces from your PC including Regedit before you install the legit Electrum wallet.
legendary
Activity: 2002
Merit: 1051
ICO? Not even once.
March 07, 2019, 04:14:51 PM
#15
I'm late but I just got tricked into the fake, 4.0.0 version in a hurry and the moment I knew it was fake when it asked for my 2FA when I launched it. So I didn't give it to them.

Removed it, did a malware scan and did a search for all the files that were created/last accessed in the last 20 minutes and I didn't find any new or suspicious files or any extra running processes or msconfig service/startup entries so now I'm wondering if it had any persistent elements to it as I don't think so but I'm curious about others. Did it also target other wallets?
full member
Activity: 168
Merit: 214
WhoTookMyCrypto.com
March 07, 2019, 07:31:07 AM
#14
familiarize yourself with digital signatures (PGP) and Web of trust concepts and learn how to use them to verify the authenticity of everything you download to install.

hey OP, pooya87 made a very good point about verifying your downloads. It could have helped prevent what happened to you. This is a good site that covers it. Link. Sorry for what happened to you.
newbie
Activity: 2
Merit: 0
February 27, 2019, 07:00:33 AM
#13
Thank you for all the info good people.

I think I am going to go with a format C: and reinstall just to be on the safe side.

Goodness knows what could have been done by me running a malicious .exe on my machine.

Serious stupidity on my part but very cleverly implemented by the hackers, they really tricked me good but have to say, I'm astounded Electrum left themselves open to this type of vulnerability. I mean the hackers actually manage to block initial outgoing transactions in order to fool you into thinking you need an update.

Bastards.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
February 27, 2019, 06:24:35 AM
#12
Any advise would be welcome.
Thanks

Some say that it's just enough to remove fake version, and then install original from official site, but I would not feel safe to do only that. A safer option would be to format the disc and install fresh OS, and if you do not want to do it be sure to delete all traces of fake Electrum, and to do that go just paste %appdata%\Electrum in your C:/ and delete Electrum folder.

Good AV would probably stop you to even download such fake file, so consider some better option than you have now, or even better invest in hardware wallet.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 27, 2019, 05:03:35 AM
#11
Any advise would be welcome.

The idea to put a few bucks onto the wallet and wait for a couple of days is not bad at all.

The only thing I'd do would be a thorough scan. I don't know if you ran the AV scan from an installed Bitdefender or from a bootable DVD/USB. I would download 1-2 reputed "recovery" antivirus images (at least one different from Bitdefender), burn them, boot and scan from them. May be a bit of overkill, but if you want to be 100% sure, this is a possible direction.
hero member
Activity: 2856
Merit: 667
February 27, 2019, 12:19:34 AM
#10
~snip~
I feel you man, I was a victim of this today and I loss my money as well, luckily that was only BTC0.0075.

This is what happen to me which I posted in this thread https://bitcointalksearch.org/topic/m.49936408


though not really necessary as most antivirus software will see if something's wrong with your machine
hero member
Activity: 2884
Merit: 579
Hire Bitcointalk Camp. Manager @ r7promotions.com
February 27, 2019, 12:12:59 AM
#9
This is electrum related topic so it must be on Development & Technical Discussion > Wallet software > Electrum .

As they suggested, just download to the main site and don't go with any other websites which isn't owned by electrum and you're going to be fine with what you are downloading especially with desktop wallets like electrum.
legendary
Activity: 1414
Merit: 1001
February 27, 2019, 12:05:45 AM
#8
I would buy a hardware wallet. They're not that expensive.
Always a good choice to store our coins. But I think you have nothing to worry about if you downloaded it from the legit site, so you must double check the link or what before you click the download sign. Its always better to be safe so do your best for this one, don't trust any link aside from the real one.
Downloading from the official website is a must because then security will be guaranteed, there are currently many services that provide this.
So please note that there are a lot of phishing sites and that our assets are not guaranteed.
Pages:
Jump to: