[PSA] Fake Wasabi wallet from wasabibitcoinwallet [dot] org

[whotookmycrypto]

Haven't seen this shared around here.

Basically, the scam website has one download link pointing Windows users to download the fake wallet. The other download links on the site are, however, legitimate. Comprehensive testing has yet to be conducted on the fake download to find out what it does but "it’s definitely a scam".

As with the recent attack on the Electrum wallet, this incident once again highlights the importance of verifying PGP signatures of your downloads. Good link on this forums on how to go about this: https://bitcointalk.org/index.php?topic=4059348.0

Scanning files for viruses alone isn't sufficient. As scanning it for viruses threw up no detections.

Image credits: https://twitter.com/nopara73/status/1108659418680516608

Stay safe.

Source of news:
https://thenextweb.com/hardfork/2019/03/21/wasabi-wallet-bitcoin-fake/

[1714110898]

1714110898

[Baofeng]

From Wasabi's co-founder himself:

https://twitter.com/nopara73/status/1108658747906449408

So just be careful.

[mk4]

How is this scam site being advertised or spread online? Couldn't make it appear on the front page through testing a few Google searches. No ads either.

EDIT: I think we're good. Page seems to be erased already. Keep your eyes peeled at all times though.

[whotookmycrypto]

How is this scam site being advertised or spread online? Couldn't make it appear on the front page through testing a few Google searches. No ads either.

EDIT: I think we're good. Page seems to be erased already. Keep your eyes peeled at all times though.

If the scammer couldn't get it ranked on google, then he/she could probably use social media to fool unsuspecting users? For example, giving advice out to users on Twitter on how to stay safe and directing them to that malicious link.

Yes, link has been taken down. Someone reported it to their host provider Name Cheap.

[ABCbits]

Wasabi's GitHub page also share short guide on GPG verification along it's public PGP key.

https://github.com/zkSNACKs/WalletWasabi/blob/master/WalletWasabi.Documentation/Guides/InstallInstructions.md#gpg-verification

If the scammer couldn't get it ranked on google, then he/she could probably use social media to fool unsuspecting users? For example, giving advice out to users on Twitter on how to stay safe and directing them to that malicious link.

Basically social engineering attack. I'd bet they share misleading URL where text and actual link are different, example :

bitcoin.org

Code:

[url=bitcointalk.org]bitcoin.org[/url]

[anu1908]

so it seems virus total failed to scan the file if we input the link directly, but they can scan it if we upload the files directly. i don't know if this is a bug or not but they should've fixed it already.

[nc50lc]

Wasabi's GitHub page also share short guide on GPG verification along it's public PGP key.

https://github.com/zkSNACKs/WalletWasabi/blob/master/WalletWasabi.Documentation/Guides/InstallInstructions.md#gpg-verification

Great, just like Electrum,
but just like Electrum, that wont help most newbies since most of them prefer download-install-open method.
Glad they have taken down the site that quick.

so it seems virus total failed to scan the file if we input the link directly, but they can scan it if we upload the files directly. i don't know if this is a bug or not but they should've fixed it already.

It isn't a bug, if you input a URL, it will scan the server of the URL, not the specified download file.

If you download and upload the file to Virus total (like the image in the OP), it will scan the file using different antivirus engines.
If nothing was detected, the file doesn't have any malicious code even though it steals data, it might be programmed like any other software that can send and receive data to its server.

[Pmalek]

VirusTotal not detecting it doesn't mean anything. The important thing is what does this wallet do? Does it infect your device with malware/keyloggers or other unwanted viruses? If so then it is only a matter of time until VT detects the malicious code.
But if it doesn't install any malware, VirusTotal will not detect anything malicious. It's basically a software that sends and receives transactions, like any other wallet and those are not reported as infected by VT.

[whotookmycrypto]

Great, just like Electrum,
but just like Electrum, that wont help most newbies since most of them prefer download-install-open method.
Glad they have taken down the site that quick.

Yes, agreed on the point of users being too lazy to verify by PGP. This point is interesting so went to do some digging online and found this.

Source: https://securityboulevard.com/2018/11/10-rules-for-the-secure-use-of-cryptocurrency-hardware-wallets/

Users of cryptocurrency software should demand reproducible builds and code-signed executables to prevent tampering by an attacker post-installation. The advantage of code-signing, relative to manual verification with a tool like GPG, is that code signatures are automatically verified by the operating system on every launch of the application, whereas manual verification is typically only performed once, if at all. Even verifiable software, though, can still be subverted at runtime. Recognize that general-purpose computing devices are exposed to potentially risky data from untrusted sources on a routine basis.

Can someone explain:

(1) Why don't these wallets implement the code-signing mechanism mentioned above? If the OS can automatically verify the program at launch each time, isn't this a solution to having users verifying PGP by themselves?

(2) Is it right to say that if the wasabi wallet had the code-signing mechanism implemented, it would have been easier for users to perform the verification as they can easily view the properties of the file to see who the digital signatures belong to (like in this example: https://www.sslsupportdesk.com/how-to-verify-a-digital-code-signing-signature-in-windows/)

Thanks.