Topic: Fake MultiBit sites and scams appearing. Download only from https://multibit.org (Read 4329 times)
July 20, 2013, 12:58:00 PM
windows.. i'jj try ditecty from your secure kink later and let ya know
July 20, 2013, 07:40:21 AM
July 20, 2013, 07:37:04 AM
If you go to the https://multibit.org site (by typing the site name explicitly) and download the installer do you have the same problem ?
Also is that for Windows, Mac or Linux ?
Also is that for Windows, Mac or Linux ?
July 20, 2013, 06:06:48 AM
just downloaded 5.12 and my scanning software immediately detected trojan:js/seedabutor.b...cant remember if it was on the secure channel or not...kapersky has a different naming convention listed as a redirector.. acted as if trying to redirect ,ultiple browser windows and opening multipke inbound connections but i'm no wiz on this sufff
April 27, 2013, 11:02:46 AM
Yes I think having both is the best idea.
Looking at the downloads of the asc files it is less than 1% of downloads of the corresponding binary.
Including SHA256 hashes somewhere separate to the site gives people another opportunity to crosscheck.
I'll start posting the SHA256 hashes in the bitcointalk release post. The sigs can stay on the website - no point making work for myself.
Looking at the downloads of the asc files it is less than 1% of downloads of the corresponding binary.
Including SHA256 hashes somewhere separate to the site gives people another opportunity to crosscheck.
I'll start posting the SHA256 hashes in the bitcointalk release post. The sigs can stay on the website - no point making work for myself.
April 27, 2013, 10:29:08 AM
For my releases of OT for windows; I contained both in my post:
https://bitcointalksearch.org/topic/moneychanger-windows-builds-out-of-date-77301
https://bitcointalksearch.org/topic/moneychanger-windows-builds-out-of-date-77301
April 27, 2013, 09:12:27 AM
SHA256 hashes are easier to check but don't give identity information.
To check the PGP is straightforward it is just:
> gpg --verify.asc
I don't really trust bitcointalk for anything sensitive and a SHA256 on the website is a false friend because an attacker can create them easily.
I'd rather people got into the habit of checking the PGP. SHA256 is a good check for file integrity but no good to check where it has come from.
To check the PGP is straightforward it is just:
> gpg --verify
I don't really trust bitcointalk for anything sensitive and a SHA256 on the website is a false friend because an attacker can create them easily.
I'd rather people got into the habit of checking the PGP. SHA256 is a good check for file integrity but no good to check where it has come from.
April 27, 2013, 07:36:49 AM
If you post the SHA256 has of your new releases on the forum. that is far more trivial to check than PGP. (of course your forum account could be attacked, however at-least it is one more step for an attacker to take).
April 26, 2013, 12:56:21 PM
Wallet encryption is very new. It may be that this code was written before it became available.
Still, there's not much you can do against trojaned wallets - it's like any other kind of malware. Moving the core to Trezor is the only way, long term.
Still, there's not much you can do against trojaned wallets - it's like any other kind of malware. Moving the core to Trezor is the only way, long term.
April 26, 2013, 10:15:42 AM
The fake MultiBit site gives links to an exe and jar that are repackaged MultiBit installers.
When you run the fake MultiBit that is installed it runs wallet stealing code. It attempts to spend your balance to an address it gets from a command-and-control server. This would definitely succeed for unencrypted wallets.
There may well be similar modifications to send after you decrypt an encrypted wallet (ie. you have entered your password). I have not spotted the actual code that does this in the malware but I would be surprised if it was not there.
Only install MultiBit from code that you have downloaded from https://multibit.org
When you run the fake MultiBit that is installed it runs wallet stealing code. It attempts to spend your balance to an address it gets from a command-and-control server. This would definitely succeed for unencrypted wallets.
There may well be similar modifications to send after you decrypt an encrypted wallet (ie. you have entered your password). I have not spotted the actual code that does this in the malware but I would be surprised if it was not there.
Only install MultiBit from code that you have downloaded from https://multibit.org
April 26, 2013, 04:29:15 AM
In the last 24 hours fake MultiBit sites have starting appearing.
There was also a scam posting on r/bitcoin (now deleted)
Download MultiBit only from https://multibit.org
The scam site:
+ is a name squat ie slightly different letters
+ is using http only (the real multibit.org is https).
+ is advertising with google ads. MultiBit does not use google ads. Any ad you see is a scam.
I will post a bit later on how exactly you can check your binaries - they are all PGP signed.
I won't post the scam site URL but if you are interested in doing forensics on them just message me.
There was also a scam posting on r/bitcoin (now deleted)
Download MultiBit only from https://multibit.org
The scam site:
+ is a name squat ie slightly different letters
+ is using http only (the real multibit.org is https).
+ is advertising with google ads. MultiBit does not use google ads. Any ad you see is a scam.
I will post a bit later on how exactly you can check your binaries - they are all PGP signed.
I won't post the scam site URL but if you are interested in doing forensics on them just message me.
Jump to: