Author

Topic: Warning: There is an ongoing phishing attack against Electrum users (Read 716 times)

HCP
legendary
Activity: 2086
Merit: 4363
So, any Electrum binaries on Github are NOT official releases.
Aren't releases made over GitHub by Electrum's official devs fine to be downloaded?
Yes, they would be... BUT, My point is...there are no binaries on the official github... there never have been.

They only have .zip or .tar.gz archives of the source code. Have a look:  https://github.com/spesmilo/electrum/releases

As far as I am aware... the only place to download the binaries is via: https://www.electrum.org/#download (which actually links to: https://download.electrum.org/)
legendary
Activity: 3052
Merit: 1273
I didn't say that you should never download anything from Github... I said you should "only download Electrum from the official website" and not from github. Besides, AFAIK, there are NO Electrum binary releases available on the official Electrum github anyway... they only have the source code available for download on the "releases" tab.

So, any Electrum binaries on Github are NOT official releases.

Aren't releases made over GitHub by Electrum's official devs fine to be downloaded? I know that either repositories can be cloned and/or hubs with fake account names may be created with exact Electrum wallet name that could drag someone into being scammed, but what about their official GitHub? And if newer versions are such dangerous, why can't we use older versions instead (obviously if there are no bugs and we're fine using them)?
If I'm not wrong, GitHub consists all older version files as well and they can be downloaded and used, so why go for updated versions when we feel no need or when knowing that such hack issues are taking place? How can an application like Electrum pop up instructions which are not even set by their devs? Can a hacker really be this rational in hacking even the servers behind that official app to throw some air in his malign intentions?
legendary
Activity: 2758
Merit: 6830
I work for Electrum Technologies GmbH.
Could you provide some evidence just to make everything clear about this? No one should just instantly trust a not known account.
newbie
Activity: 10
Merit: 3
Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.

Such a list is not very useful. Keep your Electrum updated by checking electrum.org, this is our only advice.

The only thing a malicious server could ever do, is to display error messages. Because Electrum v3.3.3 doesn't allow the server to display arbitrary error messages, it is safer.

If your Electrum v3.3.3+ version is showing error messages when trying to broadcast a transaction, as of right now, it probably means that you are currently using a malicious server. In that case, you can choose another server using the network dialog.

I work for Electrum Technologies GmbH.
HCP
legendary
Activity: 2086
Merit: 4363
~ DO NOT DOWNLOAD FROM GITHUB!
you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.
Second this. Isn't it also dangerous if somehow a hacker can hijack the DNS of the website to lure people to download his apps, which in turn makes downloading from GitHub safer? Anyway, the most important step to take is to always verify the signature.

Context is important... What I said was:
ONLY download Electrum from the official website: https://electrum.org/#download - DO NOT DOWNLOAD FROM GITHUB!
ALWAYS check the digital signature of Electrum before running installer and/or portable exe
I didn't say that you should never download anything from Github... I said you should "only download Electrum from the official website" and not from github. Besides, AFAIK, there are NO Electrum binary releases available on the official Electrum github anyway... they only have the source code available for download on the "releases" tab.

So, any Electrum binaries on Github are NOT official releases.
legendary
Activity: 3472
Merit: 10611
Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

What Electrum version do you use and when do you get the pop-up (when launch the application or try broadcast a transaction)?

Since Electrum 3.3.3, there's option to check update automatically (only if you enable it) where only signed message with hard-coded address on Electrum is valid.
If you see the pop-up when broadcast transaction, just change Electrum server and upgrade your software.

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

well you still had to have checked the digital signature of the file you downloaded, no matter where and how you got it from. if you haven't done that, then you should. visit the Electrum website and find ThomasV's PGP public key (i posted it above but you have to visit the website instead of trusting my link) and then also download the signature corresponding to the file you downloaded and verify the signature with the public key.

the command would look something like this
Code:
gpg --verify Electrum-3.3.3.tar.gz.asc Electrum-3.3.3.tar.gz
legendary
Activity: 2170
Merit: 1789
Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?

Yes. Changing Electrum server address might be an option if you encounter server error in 3.3.3 again because it means (most of the time) you're connected to a malicious server.
legendary
Activity: 3038
Merit: 6194
Meh.
Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.

What Electrum version do you use and when do you get the pop-up (when launch the application or try broadcast a transaction)?

Since Electrum 3.3.3, there's option to check update automatically (only if you enable it) where only signed message with hard-coded address on Electrum is valid.
If you see the pop-up when broadcast transaction, just change Electrum server and upgrade your software.

Yep, I downloaded the latest version very shortly prior to this becoming an issue, but I never got it back then so thought I was on the "good" one. I got the pop-up when trying to broadcast. I've now downloaded 3.3.3 and it works just fine, since I didn't press any links in the pop-up I can assume that I'm fine and don't have to do anything else now, right?
legendary
Activity: 3038
Merit: 6194
Meh.
Is this an issue again? I've gotten a popup today asking me to download a security update. Never got it when this became an issue and have used electrum vividly throughout that time.
legendary
Activity: 2170
Merit: 1789
you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.

Second this. Isn't it also dangerous if somehow a hacker can hijack the DNS of the website to lure people to download his apps, which in turn makes downloading from GitHub safer? Anyway, the most important step to take is to always verify the signature.
legendary
Activity: 3472
Merit: 10611
~ DO NOT DOWNLOAD FROM GITHUB!

you shouldn't generalize things like this though. downloading from Github can be just as safe as downloading from a website as long as you check the legitimacy of the repository and also compare the signature against the "real" developer's public key.
in this case: https://github.com/spesmilo/electrum
and: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
HCP
legendary
Activity: 2086
Merit: 4363
Looks like this topic needs a bump... seems there are still users getting caught by the phishing attack... despite the fact that it is over 2 weeks since the issue was first brought to light... and also at least a week since the issue was patched in the version 3.3.3 release.

As always:

ONLY download Electrum from the official website: https://electrum.org/#download - DO NOT DOWNLOAD FROM GITHUB!
ALWAYS check the digital signature of Electrum before running installer and/or portable exe
legendary
Activity: 3710
Merit: 1586
It's inheriting from QThread so I'm guess it happens when you run start. Start is defined in the parent class and it must be calling run.

Yes that's it: http://doc.qt.io/qt-5/qthread.html#start

legendary
Activity: 3472
Merit: 10611
i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!
You just needed to check the Electrum Github commits...

That would lead you to: validate version update announcements using "bitcoin address" message… Wink

i know where it is. i even linked it in the other topic i started yesterday Tongue
i just have a hard time understanding python, that's all. maybe i need to try opening it in my Visual Studio to be able to follow the flow easier. for example i get that this is the whole thing here: https://github.com/spesmilo/electrum/blob/53310690a5c58145426047529eaa9af9db0b2741/electrum/gui/qt/util.py#L830-L942 but i can't figure out where it is calling the run() function under UpdateCheckThread class, i was expecting some sort of connection between that and UpdateCheck class but can't figure that out either.
the only call to it is https://github.com/spesmilo/electrum/blob/53310690a5c58145426047529eaa9af9db0b2741/electrum/gui/qt/util.py#L864-L867 where it calls start() on it but that class doesn't have a "start" function. lol. that is why i say i don't get python.
HCP
legendary
Activity: 2086
Merit: 4363
i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!
You just needed to check the Electrum Github commits...

That would lead you to: validate version update announcements using "bitcoin address" message… Wink



legendary
Activity: 3472
Merit: 10611
~from this version users will be notified about new version They will probably use same way as hackers do, but announcements will be signed and verified with hardcoded BTC address.

no it is not like the thing hackers used. it is a new and to be honest a little weird way. this is how it works based on my little understanding of python (the hackers were using server response messages, this is your own wallet checking):
if you check the optional checkbox to do the check then it connects to the official website at "https://electrum.org/version" which is a new link they added (the /version part) and downloads a small json file with this content:
Code:
{ "version":"3.3.3", "signatures":{ "13xjmVAB1EATPP8RshTE8S8sNwwSUM9p1P":"Hx2zT1AogEs0r+BqwyKsuJpD0dsWovU+cQYra33VY/jMfIHtiO+HTg/o43DnhWMUTx4CNPyE0ywZiClnhL5gJj4="}}

then checks your wallet version against the version it received and if it is lower then shows you a message saying you can download it from "https://electrum.org/#download"
i can't figure out where it verifies the signature accompanying that message above since i don't really understand python but i assume there is a check somewhere in there!
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
finally it is fixed in the newest version 3.3.3

This is good news, there has already been mentioned a solution in that direction. Also there is some other fixes in this version, but the most interesting is that from this version users will be notified about new version. They will probably use same way as hackers do, but announcements will be signed and verified with hardcoded BTC address.

I just hope this is permanent fix for this issue, and it would be interesting to know the total damage this exploit is done to users.

Quote
# Release 3.3.3 - (January 25, 2019)

 * Do not expose users to server error messages (#4968)
 * Notify users of new releases. Release announcements must be signed,
   and they are verified byElectrum using a hardcoded Bitcoin address.
 * Hardware wallet fixes (#4991, #4993, #5006)
 * Display only QR code in QRcode Window
 * Fixed code signing on MacOS
* Randomise locktime of transactions

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES
legendary
Activity: 3472
Merit: 10611
finally it is fixed in the newest version 3.3.3
reference: https://github.com/spesmilo/electrum/pull/5011/files
it uses the same approach as the electronBCH approach that takes the message, analyzes it and then translates that into predefined messages instead of showing whatever the server sent. that should solve this issue for good.
if the server sends you a malicious message you should see ""Unknown error" instead of it.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
joele, older versions still works, but there are problems with synchronization and with security. You should not use any version under 3.0.5 because of security problem which is fixed with this version. Also it is good practice to always use latest version, your version is too old and it is not safe.

Quote
# Release 3.0.4 : (Security update)

 * Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS)
   in the JSONRPC interface. Previous versions of Electrum are
   vulnerable to port scanning and deanonimization attacks from
   malicious websites. Wallets that are not password-protected are
   vulnerable to theft.
 * Bundle QR scanner with Android app
* Minor bug fixes

Quote
# Release 3.0.5 : (Security update)

This is a follow-up to the 3.0.4 release, which did not completely fix
issue #3374. Users should upgrade to 3.0.5.

 * The JSONRPC interface is password protected
 * JSONRPC commands are disabled if the GUI is running, except 'ping',
which is used to determine if a GUI is already running

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES
legendary
Activity: 1022
Merit: 1000
Old Electrum 2.9.3 and selected server node 'b.ooze.cc' still works for me.
HCP
legendary
Activity: 2086
Merit: 4363
One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?
To answer this question... As I understand it... No, the transaction does not go through. All the "bad" servers do is throw back the fake error message and encourage the user to download malware. (NOTE: I believe the github repository that it linked to has already been removed)

So, as Abdussamad mentioned, simply ignore the error and connect to a different server. If you do that, there is no danger to your wallet or coins from this "attack".
legendary
Activity: 3710
Merit: 1586
So what would be the wisest course of action?
Just wait untill the issue gets fixed and not use the wallet in the meantime?

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?

Thanks for info.

The only thing you need to do is that in the event you get an error message when spending bitcoins try switching servers. Don't download any software that the error message tells you to.
member
Activity: 120
Merit: 10
So what would be the wisest course of action?
Just wait untill the issue gets fixed and not use the wallet in the meantime?

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?

Thanks for info.
newbie
Activity: 231
Merit: 0

yes, it is from the original website >  http://nl.tinypic.com/r/2njwpc8/9


image of download history



i would say check your own folder structure see if it is the same as my image
legendary
Activity: 3710
Merit: 1586
look at your browser history and confirm the url you downloaded electrum from ?
newbie
Activity: 231
Merit: 0
hello there

some day's ago someone stole my BTC from electrum wallet after I upgraded from 3.3.1  > to 3.3.2

all my BTC are gone 0.05xxx    but I have decided after cleaning my computer to reinstall the new and latest wallet
now when I installed this I tough let's see the file structure in that wallet it apart from mine wallet.dat folder this is what I saw  http://i66.tinypic.com/2n0pkq8.jpg

i don't think this is correct look at the date stamp of the actual wallet exe file create day: 11-11-2000 !!???

so, in short, i downloaded from the original website what I always do then installed it then I went to the folder and this is what i saw

please need help an advice
legendary
Activity: 3710
Merit: 1586
You posted some of possible solutions, and both would in any case be better than the current situation. It's been 16 days since the attack started, and only fix in that period is mitigation of problem.

You should complain in that issue: https://github.com/spesmilo/electrum/issues/4968

I see there is version of Electrum 3.2.4 (2018-12-31 11:26), but on main page is still Latest release: Electrum-3.3.2 , even more confusion...?

3.2.4 contains a backported version of the phishing attack mitigation for users who can't upgrade to python 3.6. Everyone else should stick to 3.3.2.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Well first of all Electrum doesn't show update notifications at all. If it were to start now it'll only muddy the waters even more

Electrum is show this message in combination with bad servers, and even if Electrum can not influence on such servers, yet there is a great deal of responsibility on them. Such a thing should be foreseen and prevented, but instead of that we have hundreds of stolen BTC and confusion that continues to last...

You posted some of possible solutions, and both would in any case be better than the current situation. It's been 16 days since the attack started, and only fix in that period is mitigation of problem.

I see there is version of Electrum 3.2.4 (2018-12-31 11:26), but on main page is still Latest release: Electrum-3.3.2 , even more confusion...?

Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.

Nothing is 100% sure, but I found a list with Electrum servers which could help. However, owner of this site can also be tricked to list some bad server, it is just for informational purposes.

https://1209k.com/bitcoin-eye/ele.php
legendary
Activity: 3710
Merit: 1586
I'm not sure if it's technically possible that Electrum use this exploit in a way to show warning message to users, but before any transaction is initiated?

Well first of all Electrum doesn't show update notifications at all. If it were to start now it'll only muddy the waters even more

Second the message is by the server you are connected to and the electrum company doesn't control those servers. If it did then they could simply replace the messages with numerical error codes and then the client could display a limited set of meaningful error messages depending on the error code instead of arbitrary messages from the server. This is the proper fix they talked about.

In the meantime the electron cash approach might work where they attempt to parse the message from the server and then replace it with a legit error message. Another suggestion was to hide the message from the server under a read more button so that those who actually cared could read it while your regular users won't bother and therefore won't be phished.
newbie
Activity: 21
Merit: 4
Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
There is currently no way to prevent the appearance of this message through legitimate Electrum wallet so every warning is welcome. But the very fact that vulnerability still exists makes this wallet very risky for any inexperienced user. We can talk about how is important to always check files before installation, or to never download wallets from untrusted source - people simply do not pay attention to such things.

I'm not sure if it's technically possible that Electrum use this exploit in a way to show warning message to users, but before any transaction is initiated?
sr. member
Activity: 910
Merit: 351
people aren't upgrading their Electrum just because this bug existed in older versions. there are still people using Electrum 2.x.x versions out there too! so as long as the attack is ongoing some sort of warning on their Twitter page from time to time is a good idea. they may need to stick it on top though.

They'll probably need to pin it forever, because it seems these 'bad' servers will continue to exist as long as people still use Electrum. Anyway, this should increase security awareness. For god’s sake, I never understand why people just download and never verify a file from the internet.
legendary
Activity: 3472
Merit: 10611
I'm not sure why Electrum gives a warning again since that attack is actually never stopped. Electrum just changed, or as they say mitigates the attack in a way how users see that notification pop message.

people aren't upgrading their Electrum just because this bug existed in older versions. there are still people using Electrum 2.x.x versions out there too! so as long as the attack is ongoing some sort of warning on their Twitter page from time to time is a good idea. they may need to stick it on top though.
HCP
legendary
Activity: 2086
Merit: 4363
It seems that the error only shows on the latest version of electrum? I tried the other version but I don't see any error yet.

It looks like only the 3.3.2 version is infected with this attack.
It has nothing to do with the version of the Electrum client that you have installed/are using... it all depends on which Electrum server you get connected to.

Also, I believe that the message only shows when you attempt to broadcast a transaction.

The message is generated and sent by rogue Electrum servers that have been setup and launched by the attackers. They modified the (open source) code, so that regardless of your client and/or how your transaction is setup, the server will automatically return the fake "error" message to your client encouraging you to "upgrade". Then the attackers launched hundreds of servers (using different domains) to increase the odds that a client would get automatically connected to one of their servers.

So, if you automatically (or manually) connect to a "good" server, you will never see this message... and if you're connected to a "bad" server, but don't try and broadcast a transaction, you will not see this message either.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
It seems that the error only shows on the latest version of electrum? I tried the other version but I don't see any error yet.

It looks like only the 3.3.2 version is infected with this attack.

I'm sure that they will release a new version of electrum this coming week and I hope they can inform all Electrum users about this issue before someone installs a fake Electrum wallet.

I already check the link from the image above it looks like someone already reported it.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I'm not sure why Electrum gives a warning again since that attack is actually never stopped. Electrum just changed, or as they say mitigates the attack in a way how users see that notification pop message.

So there is no direct link to fake wallet download (click link), but message is looks like this :



Some users obviously still fall into this trap and download fake wallets, probably because of that Electrum reacted again by tweet that warning.
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
Saw this tweet of electrum hours ago. Please be aware, and be careful.

"Warning: there is an ongoing phishing attack against Electrum users, where rogue servers ask users to install bitcoin-stealing malware. We released version 3.3.2, which mitigates the attack. See https://electrum.org/#download"

Source: https://twitter.com/ElectrumWallet/status/1083334662427164672
Jump to: