As you may know, downloading a fake wallet is one of the main causes of funds theft. So it is very important to be able to detect fake copies of legit wallet software and avoid them. This is my handbook on how to completely avoid running a fake wallet in the first place.
This guide mostly covers desktop wallets - you should
not be storing large sums of money on a mobile wallet!
As always, for best protection, buy a hardware wallet or use an airgapped computer. But I will not cover either of those in this post.
How hackers fool people into downloading fake wallet softwareYou should know one thing about the internet, and it's that nowadays, a domain name of a website can have any kind of characters in it from different languages, not just English. This means that you can go to a site like this (https://räksmörgås.josefsson.org/ <--
safe!) and it's actually takes you to this domain (xn--rksmrgs-5wao1o.josefsson.org [also safe!]) which is the punycode version of this name using only english characters.
These domains are frequently abused by hackers to take you to copycat websites that have all kinds of malware on them. So it is important that they are all blocked for your own protection. We will get to how to do that in a minute.
The other way hackers fool you into downloading malware is by using Google Search results. Anybody can place an ad on the top spots of Google search results if they pay Google some money. And unfortunately Google often does nothing - or at least not enough - about these things. So that means, the search result you are clicking on might actually be a fake.
Now the solution for protecting yourself from both of these threats is two-fold.
First, use an extension that blocks international domain names.Second, use an adblocker.For blocking international domain names, you can use
IDN Safe:
https://github.com/AykutCevik/IDN-Safe it is an open-source extension for Chrome/Firefox/Edge that blocks all funny-looking domain names like the two above, and it has a whitelist in case you do need to access a legitimate site.
As for the adblocker, you should only use one that does not secretly allow other companies ads to be shown to you. I recommend
uBlock Origin:
https://ublockorigin.com/ another open-source adblocker for Chrome/Firefox et al.
These two extensions should eliminate the vast majority of fake wallets that could be downloaded to your computer. But there are other ways someone can sneak malware in, using legitimate domains.
Open source software, checksums and PGPIf your wallet is open-source, any developer can view the source code to verify it is legit. But it also means that hackers can modify it slightly to perform a specific function, such as steal all bitcoins. These wallet software are often hosted on places like Github, with the fake copies being in different repository names that evade the content blockers above.
(Note: Never use a closed-source wallet because there is no way to verify that it is not acting maliciously).
For this reason, checksums were posted by the developers to ensure that users can verify that the downloaded file is the same as what they got from the internet. A checksum is a long string of text that you make by hashing all the bytes of a file together. When we want to verify a file, we look for the SHA-256 checksum online and then use a checksum program to independently calculate the checksum ourselves to verify it.
PGP is a technology that lets you verify the authenticity of any software using a public key. It's important because a hacker can simply replace the checksums of the real file with checksums of the malicious file. When you download the public key listed on the website, and download the signature made by the developer of the program, you can verify the signature using a PGP program to check if it is signed by the developer.
PGP signatures cannot be faked by a hacker because PGP uses public keys and private keys. The private key can be used to independently create the public key (which contains a fingerprint), but not the other way around. So, developers keep their private keys secret and create a PGP signature which they post online. The signature cannot be created without the private key, so a hacker has no chance of faking it.
What hackers can do is create a completely different PGP key and try to fool unsuspecting users that this is the real key. That is why you must pay attention to the PGP key fingerprint of the signature you are verifying. If it is even slightly different from the real one, then the software is fake and most likely malicious.
Some developers put their checksums inside the PGP signatures so that you can also verify that the files were not corrupted while downloading, but the PGP signature is usually enough.
Here is how you can verify PGP signatures on Windows:
https://bitcointalksearch.org/topic/re-eng-tutorial-pgp-signature-encryptdecrypt-message-fingerprint-5469280MacOS:
https://bitcointalksearch.org/topic/m.49695453Linux (Ubuntu [uses gpg so install with appropriate package manager]):
https://bitcointalksearch.org/topic/m.49694331Another one for Windows, Mac and Linux:
https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594How to calculate SHA-256 checksums of any file:
https://help.rublon.com/support/solutions/articles/1000308518-how-to-verify-sha-256-checksum-If any images are broken, just right-click and open in a new tab.
In case the fake wallet might be runningWhile I recommend you always verify the PGP signatures of wallets, some of them don't have PGP signatures and thus you can't use those as a line of defense.
There is nothing stopping you from accidentally clicking on a fake wallet software to run it, unsuspectingly. They have the same file names, icon and possibly other metadata. So if you are not sure whether the wallet you are running is fake, follow these instructions:
(Note: You can't modify the code of the program while it is running, so these instructions only have to be repeated when the wallet software is closed and re-opened.)
First of all, you need to have a process manager software running somewhere so you can see where the programs are being ran from. Is it from a folder you've previously ran it from normally, like the programs folder? Or did it spawn somewhere in /tmp or C:\Temp? Granted, you are responsible for figuring out which folders in the OS contain the legit wallet software, and which ones might contain fake software you might have just downloaded.
On Windows, Task Manager is not detailed enough so you should install
Process Explorer from here
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer because it shows you the full command-line path of the program. You can also filter processes containing only the name of the wallet software - which task manager can't do.
On Mac (using homebrew) and Linux, you can use
htop command in the terminal, which you might have to install. Be sure that it's configured to show the full command-line path. You can use this configuration of mine to accomplish that (save it to $HOME/.config/htop/htoprc):
# Beware! This file is rewritten by htop when settings are changed in the interface.
# The parser is also very primitive, and not human-friendly.
fields=0 48 17 18 2 109 110 46 47 39 49 125 20 1
sort_key=46
sort_direction=-1
tree_sort_key=46
tree_sort_direction=-1
hide_kernel_threads=1
hide_userland_threads=0
shadow_other_users=1
show_thread_names=0
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
highlight_changes=0
highlight_changes_delay_secs=5
find_comm_in_cmdline=1
strip_exe_from_cmdline=0
show_merged_command=1
tree_view=1
tree_view_always_by_pid=0
header_margin=1
detailed_cpu_time=1
cpu_count_from_one=1
show_cpu_usage=1
show_cpu_frequency=1
show_cpu_temperature=1
degree_fahrenheit=0
update_process_names=1
account_guest_in_cpu_meter=0
color_scheme=0
enable_mouse=1
delay=15
left_meters=LeftCPUs Memory Swap DiskIO NetworkIO
left_meter_modes=1 1 1 2 2
right_meters=RightCPUs Tasks LoadAverage Uptime DateTime
right_meter_modes=1 2 2 2 2
hide_function_bar=0
It contains a bunch of other unrelated stuff but it ensures the full command-line path is shown.
For either software, it's helpful to run it in Tree mode to view the processes as a tree to make them easier to find (in the htop config I already did this). In case you leave your wallet opened - and locked (!) for long periods of time, make sure the Start Time column is also visible (again, in htop I already did this for you) so that you know when you started the wallet. Like I said earlier,
You can't modify the code of the program while it is running, so this should give you extra confidence that the running wallet software is not compromised at this time and that it is safe to unlock it and make transactions.
Also, the other thing you need to look into is you need to check the modification date of the program on the hard disk, to make sure nobody has tampered with the files by installing a fake version recently. You can accomplish this by simply opening a file manager and placing it in "list view" where the "date modified" or "modification time" column is completely visible. (If Windows Explorer keeps crashing and closing itself you can use another file manager like 7-Zip for this.)
What ever you do, make sure the modification time is one that you recognize - you should be able to remember installing or updating your wallet software on that date.
Decoy walletsMost malware simply drains all the bitcoins in your walllet files. But you can detect and mitigate this kind of attack by following either, or both, of these two simple procedures:
1. Create what I call a decoy wallet. This is a wallet that is password-protected - so that it is not swept immediately - contains a small amount of cryptocurrency such as $1 or $2. You will always open this wallet before you open your real, intended wallet. This will allow you to see whether your defenses have been breached and your wallet has been compromised (i.e. is it safe to use this computer or not?)
2. Copy your real wallet file(s) to removable storage, such as a USB disk. When you want to open your wallet, move it to the correct location where wallets are normally stored. After you close it, copy it back to the USB and delete it from the hard disk.
Never take the USB anywhere unless you can guarantee that it will be physically secured. And don't leave it plugged into the computer when the wallet is not open. Mainly useful for wallets with no password or weak password, not as useful for wallets which already have a strong password.
As always, use a strong password to protect your wallets because this will prevent anyone from stealing your money even if they swipe your wallet file. But keyloggers are a common threat - on Windows - that completely defeat password security, so make sure you're using anti-virus on Windows such as Malwarebytes.
