|
Title: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: whotookmycrypto on March 22, 2019, 05:20:17 AM Haven't seen this shared around here.
Basically, the scam website has one download link pointing Windows users to download the fake wallet. The other download links on the site are, however, legitimate. Comprehensive testing has yet to be conducted on the fake download to find out what it does but "it’s definitely a scam". As with the recent attack on the Electrum wallet, this incident once again highlights the importance of verifying PGP signatures of your downloads. Good link on this forums on how to go about this: https://bitcointalk.org/index.php?topic=4059348.0 Scanning files for viruses alone isn't sufficient. As scanning it for viruses threw up no detections. https://pbs.twimg.com/media/D2K_2ZfX0AAg7pZ.jpg Image credits: https://twitter.com/nopara73/status/1108659418680516608 Stay safe. Source of news: https://thenextweb.com/hardfork/2019/03/21/wasabi-wallet-bitcoin-fake/ Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: Baofeng on March 22, 2019, 06:51:08 AM From Wasabi's co-founder himself:
https://twitter.com/nopara73/status/1108658747906449408 https://i.ibb.co/bWjryjh/Screen-Shot-2019-03-22-at-2-47-37-PM.png (https://ibb.co/5MX5zXD) So just be careful. Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: mk4 on March 22, 2019, 04:35:16 PM How is this scam site being advertised or spread online? Couldn't make it appear on the front page through testing a few Google searches. No ads either.
EDIT: I think we're good. Page seems to be erased already. Keep your eyes peeled at all times though. https://i.imgur.com/QU10RGe.png Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: whotookmycrypto on March 22, 2019, 04:45:01 PM How is this scam site being advertised or spread online? Couldn't make it appear on the front page through testing a few Google searches. No ads either. EDIT: I think we're good. Page seems to be erased already. Keep your eyes peeled at all times though. If the scammer couldn't get it ranked on google, then he/she could probably use social media to fool unsuspecting users? For example, giving advice out to users on Twitter on how to stay safe and directing them to that malicious link. Yes, link has been taken down. Someone reported it to their host provider Name Cheap. https://i.imgur.com/FGmqZdH.png Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: ABCbits on March 22, 2019, 05:54:59 PM Wasabi's GitHub page also share short guide on GPG verification along it's public PGP key.
https://github.com/zkSNACKs/WalletWasabi/blob/master/WalletWasabi.Documentation/Guides/InstallInstructions.md#gpg-verification (https://github.com/zkSNACKs/WalletWasabi/blob/master/WalletWasabi.Documentation/Guides/InstallInstructions.md#gpg-verification) If the scammer couldn't get it ranked on google, then he/she could probably use social media to fool unsuspecting users? For example, giving advice out to users on Twitter on how to stay safe and directing them to that malicious link. Basically social engineering attack. I'd bet they share misleading URL where text and actual link are different, example : bitcoin.org (http://bitcointalk.org) Code: [url=bitcointalk.org]bitcoin.org[/url] Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: anu1908 on March 23, 2019, 01:52:28 AM so it seems virus total failed to scan the file if we input the link directly, but they can scan it if we upload the files directly. i don't know if this is a bug or not but they should've fixed it already.
Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: nc50lc on March 23, 2019, 02:08:23 AM Wasabi's GitHub page also share short guide on GPG verification along it's public PGP key. Great, just like Electrum,https://github.com/zkSNACKs/WalletWasabi/blob/master/WalletWasabi.Documentation/Guides/InstallInstructions.md#gpg-verification (https://github.com/zkSNACKs/WalletWasabi/blob/master/WalletWasabi.Documentation/Guides/InstallInstructions.md#gpg-verification) but just like Electrum, that wont help most newbies since most of them prefer download-install-open method. Glad they have taken down the site that quick. so it seems virus total failed to scan the file if we input the link directly, but they can scan it if we upload the files directly. i don't know if this is a bug or not but they should've fixed it already. It isn't a bug, if you input a URL, it will scan the server of the URL, not the specified download file.If you download and upload the file to Virus total (like the image in the OP), it will scan the file using different antivirus engines. If nothing was detected, the file doesn't have any malicious code even though it steals data, it might be programmed like any other software that can send and receive data to its server. Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: Pmalek on March 23, 2019, 08:40:44 AM VirusTotal not detecting it doesn't mean anything. The important thing is what does this wallet do? Does it infect your device with malware/keyloggers or other unwanted viruses? If so then it is only a matter of time until VT detects the malicious code.
But if it doesn't install any malware, VirusTotal will not detect anything malicious. It's basically a software that sends and receives transactions, like any other wallet and those are not reported as infected by VT. Title: Re: [PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org Post by: whotookmycrypto on March 26, 2019, 03:05:01 AM Great, just like Electrum, but just like Electrum, that wont help most newbies since most of them prefer download-install-open method. Glad they have taken down the site that quick. Yes, agreed on the point of users being too lazy to verify by PGP. This point is interesting so went to do some digging online and found this. Source: https://securityboulevard.com/2018/11/10-rules-for-the-secure-use-of-cryptocurrency-hardware-wallets/ Quote Users of cryptocurrency software should demand reproducible builds and code-signed executables to prevent tampering by an attacker post-installation. The advantage of code-signing, relative to manual verification with a tool like GPG, is that code signatures are automatically verified by the operating system on every launch of the application, whereas manual verification is typically only performed once, if at all. Even verifiable software, though, can still be subverted at runtime. Recognize that general-purpose computing devices are exposed to potentially risky data from untrusted sources on a routine basis. Can someone explain: (1) Why don't these wallets implement the code-signing mechanism mentioned above? If the OS can automatically verify the program at launch each time, isn't this a solution to having users verifying PGP by themselves? (2) Is it right to say that if the wasabi wallet had the code-signing mechanism implemented, it would have been easier for users to perform the verification as they can easily view the properties of the file to see who the digital signatures belong to (like in this example: https://www.sslsupportdesk.com/how-to-verify-a-digital-code-signing-signature-in-windows/) Thanks. |
