Fake Electrum version 4.0 and hardware wallets - page 2.

philinje

newbie

Activity: 8

Merit: 2

Quote from: nc50lc on September 06, 2020, 10:53:15 PM

Quote from: philinje on September 06, 2020, 04:15:32 PM

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

Most of them will perform a DOS attack to the connected old vulnerable client to keep it offline without error messages hoping for the user to upgrade to the latest version.
Reference: https://github.com/spesmilo/electrum/issues/5195#issuecomment-473157912
But since there's still a good chance that Electrum will connect to a "bad server" if server selection is set to automatic, these phishing incidents will still arise.

In the other hand, any "good servers" or clients can't blacklist "bad servers",
you can manually connect to good server that gets your client online though.

Quote from: philinje on September 06, 2020, 04:15:32 PM

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

That message alone is harmless if you ignore it.
But you must upgrade before trying to send again since it will hard to find a good server that lets you connect.
It's not always recommended to use outdated software; whether it's Electrum or not.

Thanks for these answers, and also to HCP. Very helpful! That is interesting about the DOS attack. One further question: how do I find a list of good servers and then manually connect to one (is there a setting for this)?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18771

Quote from: DaveF on September 07, 2020, 09:19:36 AM

-snip-

That's interesting. Do you have any other hardware wallets on hand you could try it with? Presumably the attacker figured it wasn't worth their time to keep up to date with support for hardware wallets, since the majority of hardware wallet users would reject a transaction they didn't generate trying to sweep all their coins to an unknown address (at least, you would hope so).

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: philinje on September 05, 2020, 02:48:10 AM

Quote from: DaveF on August 31, 2020, 05:39:16 PM

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

Quote from: nc50lc on September 01, 2020, 10:16:49 PM

Quote from: DaveF on September 01, 2020, 07:31:02 PM

Guess I'll have to hunt it down another way.
Geez, how tough is it to get robbed around here :-)

Some google search results for "Electrum download" look suspiciously the malware version,
especially those from random sources like 'softonic' and 'softpedia'. (if not, they come with a virus)

So I finally got a copy of one of the bad versions on a machine I was going to DBAN anyway to check, and it would not even recognize my old ColdCard at all.
Plugged it into a legit machine and it was there so I know it was not the hardware wallet. So whoever is writing the malware either broke the HW wallet compatibility or just did not bother putting it in.

-Dave

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: nc50lc on September 06, 2020, 10:53:15 PM

In the other hand, any "good servers" or clients can't blacklist "bad servers",
you can manually connect to good server that gets your client online though.

it may not be such a bad idea to add a new option on client side to exclude (or blacklist) certain servers from their list, or alternatively the current server selection list could add a multi-select option where user could choose multiple servers to connect to automatically and randomly instead of using the entire list.
this could be beneficial for both privacy and security.

nc50lc

legendary

Activity: 2618

Merit: 6452

Self-proclaimed Genius

Quote from: philinje on September 06, 2020, 04:15:32 PM

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

Most of them will perform a DOS attack to the connected old vulnerable client to keep it offline without error messages hoping for the user to upgrade to the latest version.
Reference: https://github.com/spesmilo/electrum/issues/5195#issuecomment-473157912
But since there's still a good chance that Electrum will connect to a "bad server" if server selection is set to automatic, these phishing incidents will still arise.

In the other hand, any "good servers" or clients can't blacklist "bad servers",
you can manually connect to good server that gets your client online though.

Quote from: philinje on September 06, 2020, 04:15:32 PM

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

That message alone is harmless if you ignore it.
But you must upgrade before trying to send again since it will hard to find a good server that lets you connect.
It's not always recommended to use outdated software; whether it's Electrum or not.

HCP

legendary

Activity: 2086

Merit: 4363

Quote from: philinje on September 06, 2020, 04:15:32 PM

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

It doesn't... and it can't...

The "bad" servers are running a custom version of the Electrum Server software designed to send the "update required" message and link to malware when they receive a "send transaction" request from a client.

Quote

Does the upgraded Electrum client simply block all messages from blacklisted servers? or what is the mechanism for preventing connections to fraudulent servers?

There is no "blacklist"... the mechanism is that the Electrum client no longer just displays the verbatim text that is received back from a server... instead, there is a set list of predefined error messages that it will accept and display... if something "unexpected" is received, the client will display "Unknown Error" and advise you to try again or use a different server etc.

Quote

Once I get a message from a fraudulent server, will it get stored in local storage and be likely to be connected to again?

No, the message is received, processed and discarded... There is no action taken to blacklist the server and ignore it.

Quote

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

Yes.

You could potentially implement your own blacklist and prevent outgoing connections to the IP in your own firewall.

philinje

newbie

Activity: 8

Merit: 2

Quote from: ?? on ??

Quote from: philinje on September 05, 2020, 02:48:10 AM

Quote from: DaveF on August 31, 2020, 05:39:16 PM

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

Already in the blacklist. Check this

Quote from: https://fortiguard.com/webfilter?q=https%3A%2F%2Fwww.electrumdigital.website%2F&version=8

Category: Phishing
Counterfeit web pages that duplicate legitimate business web pages for the purpose of eliciting financial, personal or other private information from the users.

You have the old client which seems to be vulnerable to this old fishing trick. Upgrade ASAP to the newest Electrum version which is 4.0.2 at the moment. Be wise to verify pgp signature of downloaded distribution.

Thanks. I have several questions:

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

Does the upgraded Electrum client simply block all messages from blacklisted servers? or what is the mechanism for preventing connections to fraudulent servers?

Once I get a message from a fraudulent server, will it get stored in local storage and be likely to be connected to again?

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

Sorry for the multiple questions!

philinje

newbie

Activity: 8

Merit: 2

Quote from: Abdussamad on September 05, 2020, 07:47:49 AM

Quote from: philinje on September 05, 2020, 02:48:10 AM

I just received the fake error message in Electrum 3.3.4. Here is the malicious website:

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

You should update to 4.0.2 via electrum.org.

however 3.3.4 should not be vulnerable to these phishing messages according to the release notes:

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES#L184

may be you are using an even older version?

Sorry, it was 3.3.2.

HCP

legendary

Activity: 2086

Merit: 4363

Looks like someone reported the site to the domain registrar... and they promptly removed the DNS entries, as the URL doesn't return an IP address anymore:

Abdussamad

legendary

Activity: 3710

Merit: 1586

Quote from: philinje on September 05, 2020, 02:48:10 AM

I just received the fake error message in Electrum 3.3.4. Here is the malicious website:

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

You should update to 4.0.2 via electrum.org.

however 3.3.4 should not be vulnerable to these phishing messages according to the release notes:

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES#L184

may be you are using an even older version?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18771

Quote from: philinje on September 05, 2020, 02:48:10 AM

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

The best you can do is report the address to the domain name provider. Whois data says that that address is registered by namesilo. You can fill in an abuse report here: https://www.namesilo.com/report_abuse.php

You can also report it as a phishing link at the following places, which may aid in getting it taken down:
https://safebrowsing.google.com/safebrowsing/report_general/
https://us-cert.cisa.gov/report-phishing

Having said that, it's unlikely to make much difference. These scammers are used to their sites getting frequently taken down and are registering a new domain to continue their scam from on a weekly basis. Every report of someone falling for this scam is using a different URL.

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: philinje on September 05, 2020, 02:48:10 AM

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

No. Electrum doesn't control your web browser so they can't restrict you from viewing the website. There is also no filtering on the things that you can display in that dialog box.

philinje

newbie

Activity: 8

Merit: 2

Quote from: DaveF on August 31, 2020, 05:39:16 PM

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

HCP

legendary

Activity: 2086

Merit: 4363

Quote from: DaveF on September 01, 2020, 07:31:02 PM

Guess I'll have to hunt it down another way.

There was another unfortunate user who recently posted in another thread who handily noted down the malware URL in a screenshot: https://imgur.com/a/mvSIn9T

You could see if it is still live...

nc50lc

legendary

Activity: 2618

Merit: 6452

Self-proclaimed Genius

Quote from: DaveF on September 01, 2020, 07:31:02 PM

Guess I'll have to hunt it down another way.
Geez, how tough is it to get robbed around here :-)

Some google search results for "Electrum download" look suspiciously the malware version,
especially those from random sources like 'softonic' and 'softpedia'. (if not, they come with a virus)

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: HCP on September 01, 2020, 05:46:02 PM

Quote from: BitMaxz on August 31, 2020, 06:45:53 PM

Why not install an old version of Electrum below Electrum 3.3 and connect it to any infected server. It will ask to update the Electrum to Electrum 4.0.

You only receive the "update" message when you attempt to send a transaction... So, it could get quite expensive and you could end up wasting a bit of BTC in transaction fees trying to find a ~~infected~~ "bad" server (they're not "infected", they're just "bad") Tongue

And that explains why I have opened and closed Electrum about 20 times, rebooted, and still never got the update message.
Guess I'll have to hunt it down another way.
Geez, how tough is it to get robbed around here :-)

-Dave

HCP

legendary

Activity: 2086

Merit: 4363

Quote from: BitMaxz on August 31, 2020, 06:45:53 PM

Why not install an old version of Electrum below Electrum 3.3 and connect it to any infected server. It will ask to update the Electrum to Electrum 4.0.

You only receive the "update" message when you attempt to send a transaction... So, it could get quite expensive and you could end up wasting a bit of BTC in transaction fees trying to find a ~~infected~~ "bad" server (they're not "infected", they're just "bad") Tongue

BitMaxz

legendary

Activity: 3472

Merit: 3217

Playbet.io - Crypto Casino and Sportsbook

Quote from: DaveF on August 31, 2020, 05:39:16 PM

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

Why not install an old version of Electrum below Electrum 3.3 and connect it to any infected server. It will ask to update the Electrum to Electrum 4.0.

Click the link and it will lead you to fake Electrum 4.0 but I think most of the link right now are all dead. So I don't think you can find the Electrum 4.0 right away just keep changing the server until you find the alive one.

sheenshane

legendary

Activity: 2520

Merit: 1233

Quote from: Pmalek on August 31, 2020, 05:11:04 PM

Quote from: sheenshane on August 24, 2020, 05:07:35 PM

But usually, as I have heard, the clone wallet or phishing wallet like installing a fake version of the electrum didn't have any malware infection in your device, but the problem is the revise the code.

The hackers are probably not interested in attaching easy to detect malware with their fake Electrum wallets. The majority of users have some sort of anti-virus software installed. As the time passes, the fake wallets would be recognized as malware and that is not something they want. They want a similar code to the original Electrum, with one difference: Your coins get sent to an address controlled by them.

Just wonder how the attacker connects into the server of the Electrum and increases the chances that the possible a victim will connect to the attacker and the attacker can able to manipulate the wallet and send it to their own wallet. And they called it a Sybil attack, how genius the attackers these days because they had the ability to hack like this even how many times they had an update.

Just like what happened to this recent victim, the attacker stole 1400 Bitcoin from Electrum installing old version of the wallet.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

Topic: Fake Electrum version 4.0 and hardware wallets - page 2. (Read 750 times)