Electrum Phishing Attack 2018-2019 – A closer look into the stolen funds. - page 2.

Thomas29

member

Activity: 100

Merit: 33

Quote from: Artemis3 on June 24, 2019, 07:41:14 PM

You cannot call it "hack" because it implies Electrum is at fault when it isn't.

While i do agree showing server messages and rendering url inks was a design mistake from the earlier than the 3.3 versions.

Electrum cannot police and control fake websites 24/7 and or browser/os exploits (all it takes is some dns manipulating to make electrum.org resolve to a fake phishing site)...

While not discussed here, the same attacks have been done to people using Electrum fork's such as Litecoin's; and the amount stolen is not negligible.

But for most of them it was simple user mistake/ignorance, or social engineering. Do not be surprised if they escalate and combine with dns manipulation done via malware (probably done already).

Good habits and secure OS are a must. If you want to make or manipulate a cold wallet, you should boot from a secure live OS (such as Linux Tails OS).

i understand how Tails Uses Linux but do you mean using Electrum on a Portable Version on a Hard-Drive with Tails Installed on it would that work?

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Artemis3 on June 24, 2019, 07:41:14 PM

You cannot call it "hack" because it implies Electrum is at fault when it isn't.

technically Electrum is never at fault no matter what the incident is, because it is open source and released under MIT license which means the program is released as is without any guarantees and they are not liable.
but this case was an exploitable bug that existed in the application and like any other application out there that is normal.

Artemis3

legendary

Activity: 2030

Merit: 1569

CLEAN non GPL infringing code made in Rust lang

You cannot call it "hack" because it implies Electrum is at fault when it isn't.

While i do agree showing server messages and rendering url inks was a design mistake from the earlier than the 3.3 versions.

Electrum cannot police and control fake websites 24/7 and or browser/os exploits (all it takes is some dns manipulating to make electrum.org resolve to a fake phishing site)...

While not discussed here, the same attacks have been done to people using Electrum fork's such as Litecoin's; and the amount stolen is not negligible.

But for most of them it was simple user mistake/ignorance, or social engineering. Do not be surprised if they escalate and combine with dns manipulation done via malware (probably done already).

Good habits and secure OS are a must. If you want to make or manipulate a cold wallet, you should boot from a secure live OS (such as Linux Tails OS).

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: BobbySmithJones on June 18, 2019, 05:40:06 PM

Can you explain or send me to a link so I can learn more about this and to store my coin. Thanks

Cold storage means that your wallets private details such as seed/private keys have never been sent or viewed online and have never left the safety of the device, like in the case of hardware wallets. A paper wallet is another good way of storing your keys.

You can read more about that here:
https://en.bitcoin.it/wiki/Cold_storage

Also have a look at this thread:
https://bitcointalksearch.org/topic/cold-storage-best-practices-2865766

BobbySmithJones

newbie

Activity: 14

Merit: 2

Quote from: Pipdips on June 05, 2019, 03:20:49 PM

I keep everything in a cold storage wallet device where it is safe!

Can you explain or send me to a link so I can learn more about this and to store my coin. Thanks

HCP

legendary

Activity: 2086

Merit: 4361

It doesn't change the fact that it wasn't a "hack" and was "Social Engineering".

If a user did absolutely nothing at all, their funds would be safe. The thieves could not steal any funds using the richtext vulnerability. All they could do was show messages and clickable links. The attack required that the user download a piece of malware, install it and then run it. That could not be done remotely or automatically.

Granted, it was a very clever use of a non-obvious vulnerability... and, by all accounts, quite an effective one. Sure, you're more likely to trust a message in your "official" app... But one of the golden rules of crypto is "don't trust, verify!". So, if a user stopped to ask "Is that the official download repository?" and/or they followed recommended procedure and checked the digital signature of the downloaded file... the attack would fail.

It is a harsh (and expensive) lesson to learn... but the crypto call to arms of "Be your own bank"... also implies "Be your own bank's security department". Undecided

I don't blame the users and I don't blame the devs... I blame the "bad people"™ Angry

rdluffy

legendary

Activity: 2366

Merit: 1408

Quote from: HCP on June 09, 2019, 07:37:37 PM

Quote from: rdluffy on June 07, 2019, 01:31:05 PM

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

So, by that logic... Chrome/Firefox/IE have all been "hacked"... which explains all the popups from "Microsoft Support" telling me that my computer has a virus and I need to call 1-800-123-4567 to get help? or the browser on my phone telling me that I need to install some "ram cleaner" to make my phone run faster? Roll Eyes

It isn't/wasn't a "hack". It is simply "bad people"™ abusing functionality to trick users into doing something they shouldn't... aka "Social Engineering".

They are totally different aplications, you are comparing web browsers to wallets, it's nonsense
It's allowed in web browsers, you can block if you want
But imagine you downloaded an specific app, and a message is displaying on app, you will think it's official, commom, it's not hard to know the differences

HCP

legendary

Activity: 2086

Merit: 4361

Quote from: rdluffy on June 07, 2019, 01:31:05 PM

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

So, by that logic... Chrome/Firefox/IE have all been "hacked"... which explains all the popups from "Microsoft Support" telling me that my computer has a virus and I need to call 1-800-123-4567 to get help? or the browser on my phone telling me that I need to install some "ram cleaner" to make my phone run faster? Roll Eyes

It isn't/wasn't a "hack". It is simply "bad people"™ abusing functionality to trick users into doing something they shouldn't... aka "Social Engineering".

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: rdluffy on June 07, 2019, 01:31:05 PM

If the message is displayed on app, it's not the user's fault

I agree with this statement. And that is the reason that so many members trusted the messages displayed by their Electrum wallet. Any other software we use on our computers shows notifications about new updates and features and we install these.
Electrum's fault here was that they were not aware that something like that was possible or that it could be abused.
But, they also suggest that users check what they download and verify the signatures and the users who got phished didn't do that.

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Quote from: rdluffy on June 07, 2019, 01:31:05 PM

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

I feel sorry for people who lost coins this way, but it was at least partially their fault for using terrible security practices. Always go to the original source to download updates and verify the release signature -- this is a basic precaution.

If you click on a link simply because a pop-up told you to and then download and run executable applications, you are bound to lose any coins that are stored on your machine.

rdluffy

legendary

Activity: 2366

Merit: 1408

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

We can name this problem by any name, some will say it is hack, other will use social engineering attack, but in the end it is only important that there is a large number of ordinary users affected by this attack. Although responsibility is largely shifted to users who have become victims of their ignorance, part of the responsibility is also on Electrum developers. They were supposed to detect this vulnerability and fix it, before it is used by hackers.

In this example we also see why KYC is important, and why DEX is in such cases an ideal money laundering machine in combination with Monero. We can call this a perfect crime which still continues, there is too many users with outdated Electrum who are not aware of the dangers.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Genemind on June 05, 2019, 05:19:59 PM

I have thought that electrum is really a safe wallet. I realized now that everything online is hackable.

Electrum itself wasn't hacked. The wallet is not compromised. It is the users who clicked on phishing links and downloaded fake and/or infected wallets.
The biggest problem is that these messages came from the servers within Electrum itself and the users trusted and clicked on the links leading them to the fake wallets. Once that was discovered, Electrum prevented the possibility to send messages in this way.

That is why it is imperative to check the download links for Electrum and verify the signatures of the downloaded apps before using them.

Ailmand

hero member

Activity: 1274

Merit: 519

Coindragon.com 30% Cash Back

At least they have sent an alert. However, it's just a sign that no wallet is now 100% secured. There will always be lapses. We have to keep our funds safer in a cold wallet now. I'm using a nano ledger or our local wallet to keep everything safe and away from phishing.

Genemind

sr. member

Activity: 1596

Merit: 335

It's the first time that I have heard about this attack. I was surprised because that's really a huge amount of Bitcoin.
I have thought that electrum is really a safe wallet. I realized now that everything online is hackable. It's a good thing that I have transferred my funds in my hard wallet.

rdbase

legendary

Activity: 2828

Merit: 1497

Join the world-leading crypto sportsbook NOW!

^^
Yes. Your correct when I receive the alert it would be too late in that case. But atleast it will allow me to be aware not to send anymore coins to it or they would be in jeopardy too. The bitcoin wallet on my mobile is used for small transactions on the road.
Good advice with having it in cold storage with offline key storage like a usb stick for alot of bitcoins.

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Quote from: rdbase on June 05, 2019, 03:14:52 PM

I have heard of these electrum hacks being performed but didnt know it has accumulated to this amount in bitcoin.

They weren't really "hacks." They were social engineering attacks. Attackers were setting up malicious Electrum servers and sending out in-app messages that convinced some people to download a malicious "update" that stole their coins.

Quote from: rdbase on June 05, 2019, 03:14:52 PM

I havent touched my electrum wallet in over two years and have never left funds on it being scared to leave any amount of such significant on a wallet I dont have installed on my phone where I can keep an eye on it while not at home and receive a notification in a form of an alert beep when funds are being moved from my bitcoin wallet. Wink

What good is that alert going to do when a hacker empties out your wallet in one move?

You should use cold storage. Offline key storage allows me to sleep at night.

Pipdips

member

Activity: 210

Merit: 13

I keep everything in a cold storage wallet device where it is safe!

rdbase

legendary

Activity: 2828

Merit: 1497

Join the world-leading crypto sportsbook NOW!

I have heard of these electrum hacks being performed but didnt know it has accumulated to this amount in bitcoin. Shocked

I havent touched my electrum wallet in over two years and have never left funds on it being scared to leave any amount of such significant on a wallet I dont have installed on my phone where I can keep an eye on it while not at home and receive a notification in a form of an alert beep when funds are being moved from my bitcoin wallet. Wink

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Interesting reading, thanks for posting.

I hope these schemes aren't used as fodder to pass more stringent AML/KYC regulations on crypto-to-crypto exchanges, but they probably will be. I'm not sure how governments will address decentralized exchanges like Bisq, but I think there will be more clamping down on centralized services like MorphToken, who are offering high value exchanges with no account registration. Shapeshift obviously couldn't retain that model for long, ostensibly because of pressure from regulators.

Topic: Electrum Phishing Attack 2018-2019 – A closer look into the stolen funds. - page 2. (Read 823 times)