Bitcoin Forum
December 13, 2019, 11:08:50 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Warning: There is an ongoing phishing attack against Electrum users  (Read 544 times)
bL4nkcode
Copper Member
Hero Member
*****
Offline Offline

Activity: 1386
Merit: 825


Jack of all trades, Master of none.


View Profile WWW
January 11, 2019, 10:54:13 AM
 #1

Saw this tweet of electrum hours ago. Please be aware, and be careful.

"Warning: there is an ongoing phishing attack against Electrum users, where rogue servers ask users to install bitcoin-stealing malware. We released version 3.3.2, which mitigates the attack. See https://electrum.org/#download"

Source: https://twitter.com/ElectrumWallet/status/1083334662427164672

..bustadice..         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
......Play......
1576278530
Hero Member
*
Offline Offline

Posts: 1576278530

View Profile Personal Message (Offline)

Ignore
1576278530
Reply with quote  #2

1576278530
Report to moderator
1576278530
Hero Member
*
Offline Offline

Posts: 1576278530

View Profile Personal Message (Offline)

Ignore
1576278530
Reply with quote  #2

1576278530
Report to moderator
1576278530
Hero Member
*
Offline Offline

Posts: 1576278530

View Profile Personal Message (Offline)

Ignore
1576278530
Reply with quote  #2

1576278530
Report to moderator
Best ratesfor crypto
EXCHANGE
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Lucius
Legendary
*
Offline Offline

Activity: 1624
Merit: 1413


Fortis Fortuna Adiuvat


View Profile WWW
January 11, 2019, 11:36:37 AM
 #2

I'm not sure why Electrum gives a warning again since that attack is actually never stopped. Electrum just changed, or as they say mitigates the attack in a way how users see that notification pop message.

So there is no direct link to fake wallet download (click link), but message is looks like this :



Some users obviously still fall into this trap and download fake wallets, probably because of that Electrum reacted again by tweet that warning.

BitMaxz
Legendary
*
Offline Offline

Activity: 1638
Merit: 1278


Beware on fake ledger nano, trezor and electrum.


View Profile WWW
January 11, 2019, 06:22:41 PM
 #3

It seems that the error only shows on the latest version of electrum? I tried the other version but I don't see any error yet.

It looks like only the 3.3.2 version is infected with this attack.

I'm sure that they will release a new version of electrum this coming week and I hope they can inform all Electrum users about this issue before someone installs a fake Electrum wallet.

I already check the link from the image above it looks like someone already reported it.

HCP
Legendary
*
Online Online

Activity: 1176
Merit: 1992

<insert witty quote here>


View Profile
January 12, 2019, 02:21:11 AM
Merited by ETFbitcoin (1)
 #4

It seems that the error only shows on the latest version of electrum? I tried the other version but I don't see any error yet.

It looks like only the 3.3.2 version is infected with this attack.
It has nothing to do with the version of the Electrum client that you have installed/are using... it all depends on which Electrum server you get connected to.

Also, I believe that the message only shows when you attempt to broadcast a transaction.

The message is generated and sent by rogue Electrum servers that have been setup and launched by the attackers. They modified the (open source) code, so that regardless of your client and/or how your transaction is setup, the server will automatically return the fake "error" message to your client encouraging you to "upgrade". Then the attackers launched hundreds of servers (using different domains) to increase the odds that a client would get automatically connected to one of their servers.

So, if you automatically (or manually) connect to a "good" server, you will never see this message... and if you're connected to a "bad" server, but don't try and broadcast a transaction, you will not see this message either.

pooya87
Legendary
*
Offline Offline

Activity: 1848
Merit: 2111


Remember tonight for it's the beginning of forever


View Profile
January 12, 2019, 05:04:09 AM
 #5

I'm not sure why Electrum gives a warning again since that attack is actually never stopped. Electrum just changed, or as they say mitigates the attack in a way how users see that notification pop message.

people aren't upgrading their Electrum just because this bug existed in older versions. there are still people using Electrum 2.x.x versions out there too! so as long as the attack is ongoing some sort of warning on their Twitter page from time to time is a good idea. they may need to stick it on top though.

elda34b
Sr. Member
****
Offline Offline

Activity: 602
Merit: 334


View Profile
January 12, 2019, 06:47:36 AM
 #6

people aren't upgrading their Electrum just because this bug existed in older versions. there are still people using Electrum 2.x.x versions out there too! so as long as the attack is ongoing some sort of warning on their Twitter page from time to time is a good idea. they may need to stick it on top though.

They'll probably need to pin it forever, because it seems these 'bad' servers will continue to exist as long as people still use Electrum. Anyway, this should increase security awareness. For god’s sake, I never understand why people just download and never verify a file from the internet.
Lucius
Legendary
*
Offline Offline

Activity: 1624
Merit: 1413


Fortis Fortuna Adiuvat


View Profile WWW
January 12, 2019, 10:39:54 AM
 #7

There is currently no way to prevent the appearance of this message through legitimate Electrum wallet so every warning is welcome. But the very fact that vulnerability still exists makes this wallet very risky for any inexperienced user. We can talk about how is important to always check files before installation, or to never download wallets from untrusted source - people simply do not pay attention to such things.

I'm not sure if it's technically possible that Electrum use this exploit in a way to show warning message to users, but before any transaction is initiated?

Awkward_Public_Stoner
Newbie
*
Offline Offline

Activity: 13
Merit: 4


View Profile
January 12, 2019, 10:54:36 AM
 #8

Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.
Abdussamad
Legendary
*
Offline Offline

Activity: 2310
Merit: 1220



View Profile
January 12, 2019, 11:21:45 AM
 #9

I'm not sure if it's technically possible that Electrum use this exploit in a way to show warning message to users, but before any transaction is initiated?

Well first of all Electrum doesn't show update notifications at all. If it were to start now it'll only muddy the waters even more

Second the message is by the server you are connected to and the electrum company doesn't control those servers. If it did then they could simply replace the messages with numerical error codes and then the client could display a limited set of meaningful error messages depending on the error code instead of arbitrary messages from the server. This is the proper fix they talked about.

In the meantime the electron cash approach might work where they attempt to parse the message from the server and then replace it with a legit error message. Another suggestion was to hide the message from the server under a read more button so that those who actually cared could read it while your regular users won't bother and therefore won't be phished.
Lucius
Legendary
*
Offline Offline

Activity: 1624
Merit: 1413


Fortis Fortuna Adiuvat


View Profile WWW
January 12, 2019, 01:39:39 PM
Last edit: January 12, 2019, 01:49:40 PM by Lucius
 #10

Well first of all Electrum doesn't show update notifications at all. If it were to start now it'll only muddy the waters even more

Electrum is show this message in combination with bad servers, and even if Electrum can not influence on such servers, yet there is a great deal of responsibility on them. Such a thing should be foreseen and prevented, but instead of that we have hundreds of stolen BTC and confusion that continues to last...

You posted some of possible solutions, and both would in any case be better than the current situation. It's been 16 days since the attack started, and only fix in that period is mitigation of problem.

I see there is version of Electrum 3.2.4 (2018-12-31 11:26), but on main page is still Latest release: Electrum-3.3.2 , even more confusion...?

Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.

Nothing is 100% sure, but I found a list with Electrum servers which could help. However, owner of this site can also be tricked to list some bad server, it is just for informational purposes.

https://1209k.com/bitcoin-eye/ele.php

Abdussamad
Legendary
*
Offline Offline

Activity: 2310
Merit: 1220



View Profile
January 12, 2019, 02:28:13 PM
 #11

You posted some of possible solutions, and both would in any case be better than the current situation. It's been 16 days since the attack started, and only fix in that period is mitigation of problem.

You should complain in that issue: https://github.com/spesmilo/electrum/issues/4968

I see there is version of Electrum 3.2.4 (2018-12-31 11:26), but on main page is still Latest release: Electrum-3.3.2 , even more confusion...?

3.2.4 contains a backported version of the phishing attack mitigation for users who can't upgrade to python 3.6. Everyone else should stick to 3.3.2.
paulus59
Newbie
*
Offline Offline

Activity: 230
Merit: 0


View Profile
January 12, 2019, 07:04:11 PM
 #12

hello there

some day's ago someone stole my BTC from electrum wallet after I upgraded from 3.3.1  > to 3.3.2

all my BTC are gone 0.05xxx    but I have decided after cleaning my computer to reinstall the new and latest wallet
now when I installed this I tough let's see the file structure in that wallet it apart from mine wallet.dat folder this is what I saw  http://i66.tinypic.com/2n0pkq8.jpg

i don't think this is correct look at the date stamp of the actual wallet exe file create day: 11-11-2000 !!???

so, in short, i downloaded from the original website what I always do then installed it then I went to the folder and this is what i saw

please need help an advice
Abdussamad
Legendary
*
Offline Offline

Activity: 2310
Merit: 1220



View Profile
January 13, 2019, 04:55:08 PM
 #13

look at your browser history and confirm the url you downloaded electrum from ?
paulus59
Newbie
*
Offline Offline

Activity: 230
Merit: 0


View Profile
January 14, 2019, 10:07:18 AM
 #14


yes, it is from the original website >  http://nl.tinypic.com/r/2njwpc8/9


image of download history



i would say check your own folder structure see if it is the same as my image
G3nijalac
Member
**
Offline Offline

Activity: 87
Merit: 10


View Profile
January 14, 2019, 02:15:03 PM
 #15

So what would be the wisest course of action?
Just wait untill the issue gets fixed and not use the wallet in the meantime?

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?

Thanks for info.

Abdussamad
Legendary
*
Offline Offline

Activity: 2310
Merit: 1220



View Profile
January 14, 2019, 06:11:01 PM
 #16

So what would be the wisest course of action?
Just wait untill the issue gets fixed and not use the wallet in the meantime?

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?

Thanks for info.

The only thing you need to do is that in the event you get an error message when spending bitcoins try switching servers. Don't download any software that the error message tells you to.
HCP
Legendary
*
Online Online

Activity: 1176
Merit: 1992

<insert witty quote here>


View Profile
January 18, 2019, 07:19:14 PM
 #17

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?
To answer this question... As I understand it... No, the transaction does not go through. All the "bad" servers do is throw back the fake error message and encourage the user to download malware. (NOTE: I believe the github repository that it linked to has already been removed)

So, as Abdussamad mentioned, simply ignore the error and connect to a different server. If you do that, there is no danger to your wallet or coins from this "attack".

joele
Legendary
*
Offline Offline

Activity: 1020
Merit: 1000



View Profile
January 25, 2019, 03:48:36 AM
 #18

Old Electrum 2.9.3 and selected server node 'b.ooze.cc' still works for me.
Lucius
Legendary
*
Offline Offline

Activity: 1624
Merit: 1413


Fortis Fortuna Adiuvat


View Profile WWW
January 25, 2019, 10:41:32 AM
 #19

joele, older versions still works, but there are problems with synchronization and with security. You should not use any version under 3.0.5 because of security problem which is fixed with this version. Also it is good practice to always use latest version, your version is too old and it is not safe.

Quote
# Release 3.0.4 : (Security update)

 * Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS)
   in the JSONRPC interface. Previous versions of Electrum are
   vulnerable to port scanning and deanonimization attacks from
   malicious websites. Wallets that are not password-protected are
   vulnerable to theft.
 * Bundle QR scanner with Android app
* Minor bug fixes

Quote
# Release 3.0.5 : (Security update)

This is a follow-up to the 3.0.4 release, which did not completely fix
issue #3374. Users should upgrade to 3.0.5.

 * The JSONRPC interface is password protected
 * JSONRPC commands are disabled if the GUI is running, except 'ping',
which is used to determine if a GUI is already running

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

pooya87
Legendary
*
Offline Offline

Activity: 1848
Merit: 2111


Remember tonight for it's the beginning of forever


View Profile
January 26, 2019, 07:28:44 AM
Merited by Abdussamad (2), Lucius (1)
 #20

finally it is fixed in the newest version 3.3.3
reference: https://github.com/spesmilo/electrum/pull/5011/files
it uses the same approach as the electronBCH approach that takes the message, analyzes it and then translates that into predefined messages instead of showing whatever the server sent. that should solve this issue for good.
if the server sends you a malicious message you should see ""Unknown error" instead of it.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!