Bitcoin Forum
April 05, 2020, 10:17:37 AM *
News: Latest Bitcoin Core release: 0.19.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: There has been an increased number of "fake" electrums out there, be careful.  (Read 1549 times)
asche
Hero Member
*****
Offline Offline

Activity: 826
Merit: 1042


I forgot more than you will ever know.


View Profile
December 28, 2018, 08:11:49 PM
 #41

Hi to all, I've shared fishing warning with Russian-speaking community  but a have a question whether the hardware based clients ( like Ledger nano s) are vulnerable to such kind of attack? Basically they're  light clients and rely on 3-rd parties servers.  

I believe (someone should correct me if i'm wrong, since i am far from an expert on hardware wallets.) all transactions made on a Ledger Nano S are done through their own servers, which are owned by no one but the corporation behind Ledger Nano S, so chances that this will happen on their devices/chrome app seems rather slim.

(They'd have to be the ones sabotaging their own servers, which wouldn't make any sense..?)





Every infected computer is vulnerable.
When using a HW wallet on an infected computer, the malware could modify the inputs you send to the HW wallet.
If you verify every detail on the HW wallet itself you should be safe.

However if you don't, you will be vulnerable to this kind of attack.


1586081857
Hero Member
*
Offline Offline

Posts: 1586081857

View Profile Personal Message (Offline)

Ignore
1586081857
Reply with quote  #2

1586081857
Report to moderator
1586081857
Hero Member
*
Offline Offline

Posts: 1586081857

View Profile Personal Message (Offline)

Ignore
1586081857
Reply with quote  #2

1586081857
Report to moderator
1586081857
Hero Member
*
Offline Offline

Posts: 1586081857

View Profile Personal Message (Offline)

Ignore
1586081857
Reply with quote  #2

1586081857
Report to moderator
AWARD-WINNING
CRYPTO CASINO
ASKGAMBLERS
PLAYERS CHOICE 2019
PROUD
PARTNER OF
1500+
GAMES
2 MIN
CASH-OUTS
24/7
SUPPORT
100s OF
FREE SPINS
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1586081857
Hero Member
*
Offline Offline

Posts: 1586081857

View Profile Personal Message (Offline)

Ignore
1586081857
Reply with quote  #2

1586081857
Report to moderator
1586081857
Hero Member
*
Offline Offline

Posts: 1586081857

View Profile Personal Message (Offline)

Ignore
1586081857
Reply with quote  #2

1586081857
Report to moderator
AdolfinWolf
Legendary
*
Offline Offline

Activity: 1358
Merit: 1220


people run from rain but sit in bathtubs of water


View Profile
December 28, 2018, 08:26:38 PM
 #42

Every infected computer is vulnerable.
When using a HW wallet on an infected computer, the malware could modify the inputs you send to the HW wallet.
If you verify every detail on the HW wallet itself you should be safe.

However if you don't, you will be vulnerable to this kind of attack.


That is totally unrelated as to whether an Electrum-esque attack as we've just seen can happen with Ledger software, to which the answer probably is; no. (due to the ledger servers being solely operated by they themselves.)


Quote
However if you don't, you will be vulnerable to this kind of attack.
The electrum attack that happend also affected non-infected users... which per your criteria, shouldn't be possible?




HCP
Legendary
*
Offline Offline

Activity: 1288
Merit: 2313

<insert witty quote here>


View Profile
December 29, 2018, 12:37:46 AM
 #43

This attack is really just a variation on those browser popups that pretend to be a message from Microsoft saying that your computer is infected and you need to call 1-800-PLZ-SCAM-ME for assistance... or visit some website and download a virus removal tool which actually installs malware on your PC.

Basically, a somewhat "official" looking notification is sent to a user via the abuse of a feature (popup notifications in browser, server error message in Electrum) ... they believe it and follow the instructions and end up downloading malware with a subsequent financial loss. Undecided

Kakmakr
Legendary
*
Offline Offline

Activity: 1946
Merit: 1418



View Profile
December 29, 2018, 06:45:03 AM
Merited by kano (5)
 #44

You not going to stop social engineered attacks like this with messages on a forum. They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.  Angry 

.freebitcoin.       ▄▄▄█▀▀██▄▄▄
   ▄▄██████▄▄█  █▀▀█▄▄
  ███  █▀▀███████▄▄██▀
   ▀▀▀██▄▄█  ████▀▀  ▄██
▄███▄▄  ▀▀▀▀▀▀▀  ▄▄██████
██▀▀█████▄     ▄██▀█ ▀▀██
██▄▄███▀▀██   ███▀ ▄▄  ▀█
███████▄▄███ ███▄▄ ▀▀▄  █
██▀▀████████ █████  █▀▄██
 █▄▄████████ █████   ███
  ▀████  ███ ████▄▄███▀
     ▀▀████   ████▀▀
BITCOIN
DICE
EVENT
BETTING
WIN A LAMBO !

.
            ▄▄▄▄▄▄▄▄▄▄███████████▄▄▄▄▄
▄▄▄▄▄██████████████████████████████████▄▄▄▄
▀██████████████████████████████████████████████▄▄▄
▄▄████▄█████▄████████████████████████████▄█████▄████▄▄
▀████████▀▀▀████████████████████████████████▀▀▀██████████▄
  ▀▀▀████▄▄▄███████████████████████████████▄▄▄██████████
       ▀█████▀  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  ▀█████▀▀▀▀▀▀▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.PLAY NOW.
hatshepsut93
Legendary
*
Offline Offline

Activity: 1470
Merit: 1155


( ͡° ͜ʖ ͡°)


View Profile
December 29, 2018, 07:01:18 AM
Merited by Coding Enthusiast (1)
 #45

You not going to stop social engineered attacks like this with messages on a forum. They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.  Angry 

No, they shouldn't, things like that can also be a security risk, and it also gives more power to developers, which isn't a good thing. This would require all Electrum clients to connect to some trusted server that can relay messages, and this would be against Electrum's philosophy of decentralization.

They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.  Angry 

I guess you don't understand how Electrum works. There are no official servers, anyone can run a server. The hacker has spawned many servers to make as many people as possible to connect to them. The problem here is that malicious servers could display a popup when people sent transactions. This was a flaw in the software, it wasn't clear that that was just an error message that came from a server, and attackers had the ability to write arbitrary text there.

igor72
Hero Member
*****
Offline Offline

Activity: 714
Merit: 909


View Profile
December 29, 2018, 07:55:00 AM
 #46


I believe (someone should correct me if i'm wrong, since i am far from an expert on hardware wallets.) all transactions made on a Ledger Nano S are done through their own servers, which are owned by no one but the corporation behind Ledger Nano S, so chances that this will happen on their devices/chrome app seems rather slim.

(They'd have to be the ones sabotaging their own servers, which wouldn't make any sense..?)
No, transactions made on a hardware wallet paired with Electrum are done through Electrum servers.
Coding Enthusiast
Hero Member
*****
Offline Offline

Activity: 765
Merit: 1463


Novice C♯ Coder


View Profile WWW
December 29, 2018, 09:25:20 AM
 #47

They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

This IS what this attacker was using! The feature to send a warning message from the server.

The only way it can be prevented is if the servers can only send predefined messages. For example they can send a "code number" like sending 1 means you need to update, sending 2 means there is a fork going on,... so that it is not arbitrary.

Projects List+Suggestion box
Donate: 1Q9s or bc1q
|
|
|
FinderOuter(0.1.1)Ann-git
Denovo(0.0.0)Ann-git
|
|
|
BitcoinTransactionTool(0.11.0)Ann-git
WatchOnlyBitcoinWallet(3.1.0)Ann-git
SharpPusher(0.10.0)Ann-git
AdolfinWolf
Legendary
*
Offline Offline

Activity: 1358
Merit: 1220


people run from rain but sit in bathtubs of water


View Profile
December 29, 2018, 11:35:17 AM
 #48


I believe (someone should correct me if i'm wrong, since i am far from an expert on hardware wallets.) all transactions made on a Ledger Nano S are done through their own servers, which are owned by no one but the corporation behind Ledger Nano S, so chances that this will happen on their devices/chrome app seems rather slim.

(They'd have to be the ones sabotaging their own servers, which wouldn't make any sense..?)
No, transactions made on a hardware wallet paired with Electrum are done through Electrum servers.
So what you're saying is that Ledger Nano is paired with electrum/using the same servers? Huh.

Do you have any sources on that? i find that hard to believe.

Everything source i find points towards Ledger Nano S having specific servers ran only by the company behind the nano S.


I don't think any of the popular hardware wallets connect to Electrum servers?

igor72
Hero Member
*****
Offline Offline

Activity: 714
Merit: 909


View Profile
December 29, 2018, 01:12:58 PM
Merited by AdolfinWolf (1)
 #49

So what you're saying is that Ledger Nano is paired with electrum/using the same servers? Huh.

Do you have any sources on that? i find that hard to believe.


AdolfinWolf
Legendary
*
Offline Offline

Activity: 1358
Merit: 1220


people run from rain but sit in bathtubs of water


View Profile
December 29, 2018, 01:41:45 PM
 #50

So what you're saying is that Ledger Nano is paired with electrum/using the same servers? Huh.

Do you have any sources on that? i find that hard to believe.
<..>

That isn't by default though? if you use their chrome app, (which most people do i'm pretty sure) you obviously won't use electrum servers? and instead use their centralized servers?

igor72
Hero Member
*****
Offline Offline

Activity: 714
Merit: 909


View Profile
December 29, 2018, 02:12:16 PM
 #51

That isn't by default though? if you use their chrome app, (which most people do i'm pretty sure) you obviously won't use electrum servers? and instead use their centralized servers?
What do you mean by 'by default'? By default, the user uses software from Ledger (Ledger Live) - in this case the Ledger's servers are used. But if user connects HW wallet (Ledger, Trezor, Keepkey) to Electrum then transactions go through Electrum servers.
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1960
Merit: 2310

Use SegWit and enjoy lower fees.


View Profile WWW
December 29, 2018, 08:13:05 PM
 #52

You not going to stop social engineered attacks like this with messages on a forum. They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.  Angry 
No, they shouldn't, things like that can also be a security risk, and it also gives more power to developers, which isn't a good thing. This would require all Electrum clients to connect to some trusted server that can relay messages, and this would be against Electrum's philosophy of decentralization.

Furthermore, it will open another attack vector (single point of failure) by design. So if by any chance attacker could hack official server, many people won't even think to verify/check and will be fooled.

That isn't by default though? if you use their chrome app, (which most people do i'm pretty sure) you obviously won't use electrum servers? and instead use their centralized servers?

No one use chrome extension anymore, most people already move to Ledger Live and AFAIK the extension never updated again. But the beauty of some HW wallet is you can use any software wallet, not only "official" wallet provided by the creator.
User still need "official" wallet to install library to install/support certain type of cryptocurrency even they want to use another wallet

rokkyroad
Legendary
*
Offline Offline

Activity: 1091
Merit: 1000


View Profile
December 29, 2018, 09:45:17 PM
 #53

This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore. These types of disasters can destroy crypto if left unchecked.

What's going to be next? Online wallets safer than software wallets?

" If you have to spam and shout to justify your existence then you are a shit coin."  TaunSew
pooya87
Legendary
*
Offline Offline

Activity: 1960
Merit: 2540


Remember tonight for it's the beginning of forever


View Profile
December 30, 2018, 03:31:35 AM
 #54

This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.

kano
Legendary
*
Online Online

Activity: 3108
Merit: 1251


Linux since 1997 RedHat 4


View Profile
December 30, 2018, 07:13:07 AM
 #55

They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

This IS what this attacker was using! The feature to send a warning message from the server.

The only way it can be prevented is if the servers can only send predefined messages. For example they can send a "code number" like sending 1 means you need to update, sending 2 means there is a fork going on,... so that it is not arbitrary.
Yet no one seems to note the blatantly obvious point to notify people about the problem, with a simple message, using this method that has allowed hackers to trick people into losing millions of dollars (as has happened) ...

Pool: https://kano.is 0.1 BTC bonus - low fee PPLNS 3 Days Here on Bitcointalk: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code
Help keep Bitcoin secure by mining on pools with full block verification on all blocks - and NO empty blocks!
kano
Legendary
*
Online Online

Activity: 3108
Merit: 1251


Linux since 1997 RedHat 4


View Profile
December 30, 2018, 07:14:34 AM
 #56

This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.

Pool: https://kano.is 0.1 BTC bonus - low fee PPLNS 3 Days Here on Bitcointalk: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code
Help keep Bitcoin secure by mining on pools with full block verification on all blocks - and NO empty blocks!
Abdussamad
Legendary
*
Offline Offline

Activity: 2422
Merit: 1264



View Profile
December 30, 2018, 11:42:56 AM
 #57

This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.

The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
kano
Legendary
*
Online Online

Activity: 3108
Merit: 1251


Linux since 1997 RedHat 4


View Profile
December 30, 2018, 11:57:35 AM
 #58

This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.

The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
Yes we all know this - it has been stated a number of times before.

Indeed the Official Electrum displayed an update notice and link, to a verified github, that when installed, meant you lost your Bitcoins
... and literally millions of dollars of Bitcoins have been lost due to people trusting that messages posted by the official Electrum wallet would be valid ...

Pool: https://kano.is 0.1 BTC bonus - low fee PPLNS 3 Days Here on Bitcointalk: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code
Help keep Bitcoin secure by mining on pools with full block verification on all blocks - and NO empty blocks!
MagicByt3
Sr. Member
****
Offline Offline

Activity: 490
Merit: 343


BSV IS NOT BITCOIN


View Profile
December 30, 2018, 12:44:13 PM
 #59

This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.

The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
Yes we all know this - it has been stated a number of times before.

Indeed the Official Electrum displayed an update notice and link, to a verified github, that when installed, meant you lost your Bitcoins
... and literally millions of dollars of Bitcoins have been lost due to people trusting that messages posted by the official Electrum wallet would be valid ...

have to agree with kano on this one this is a serious flaw in the official software that allowed attackers to perform this.
The fact is there was no protection on for users to stop the messages being shown all be it in a somewhat official looking manner.

As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.

Just out of curiosity what was the intended use for it in Electrum?

Signalyze Market Metrics
Track All Binance Pairs, Set Telegram & Desktop Alerts, Discord & Telegram Groups
[https://signalyze.co.uk]
Coding Enthusiast
Hero Member
*****
Offline Offline

Activity: 765
Merit: 1463


Novice C♯ Coder


View Profile WWW
December 30, 2018, 02:01:29 PM
 #60

Just out of curiosity what was the intended use for it in Electrum?

AFAIK this is the way the servers communicate with the clients that connect to them. For example when you send a transaction with low fee you receive a message telling you why your transaction was rejected with a "low fee" message, or if you broadcast a message with wrong signature,... you'll receive another message, and so on.
The problem is that these messages (which are normally bitcoind responds) could be anything instead of being hard coded in the client and being predefined.

As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.

Of course the core alerts required a key (which also was compromised at some point prior to the system's retirement) while Electrum messages can be sent by anyone. And I do realize that it wasn't a good example but there is a good similarity there, which is why I mentioned it in first place.
For starters both cases are following a similar not-predefined message structure which the sender decides what to send. So the message could display anything including a link.

Projects List+Suggestion box
Donate: 1Q9s or bc1q
|
|
|
FinderOuter(0.1.1)Ann-git
Denovo(0.0.0)Ann-git
|
|
|
BitcoinTransactionTool(0.11.0)Ann-git
WatchOnlyBitcoinWallet(3.1.0)Ann-git
SharpPusher(0.10.0)Ann-git
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!