Never use ELECTRUM WALLET!

[NeuroticFish]

I agree that there is a problem in fact most of us maybe create public opinion by saying "Do not use web wallets", and most users think desktop wallets are safe option. I am not sure is it more appropriate to direct users to hardware wallets, so far they are safe, but who can guarantee that this will be the case tomorrow or in a year?

Well, cold wallets are safe and nowadays they're not so difficult to set up.
And there's always the option of storing on paper wallets (of course, they have to be properly done, and of course, there were problems there too, mostly because of not-random-enough seeds).
But you are right. Human error is always a factor that has to be properly counted in.

[1715301878]

1715301878

[1715301878]

1715301878

[1715301878]

1715301878

[wwzsocki]

...all of these users are at fault for not using the common sense. If you had looked at your address bar, you would have noticed that you were not on the official website...

I would agree with you until I have seen this post:

The most tricky phising website i've heard was this one. Looks like Binance.com but there are no "n". This is strange n with dot at the bottom.


source

How to deal with such a phishing adress? Those dots are almost unnoticable.

Very good that you shared this.

I had to look for quite some time on the URL to spot the difference and to be honest I wasn't able to...

Even after I have read about the dots, still I was trying to clean the screen because I was sure it is something on the screen.

I think this one is the biggest threat from all fake URL's I have seen so far and people should be aware of these.

[pooya87]

~
I think this one is the biggest threat from all fake URL's I have seen so far and people should be aware of these.

actually this does not concern wallets at all because technically you should not even care where you download the binaries from because even if you download them from the official website it still is not safe until you cryptographically verify its digital signature.
the only thing that you should ever worry about is acquiring the real public key of the developer. then you could even receive the binaries in your Email from someone and check the signature with that public key. as long as PGP is not broken (which it is not) there is no way to fake this.

those people who got scammed (mentioned in the comment you quoted) got scammed because they never bothered with signature verification ever.

[wwzsocki]

...even if you download them from the official website it still is not safe until you cryptographically verify its digital signature. the only thing that you should ever worry about is acquiring the real public key of the developer...as long as PGP is not broken (which it is not) there is no way to fake this...

I agree with you and we should do all we can to inform at least Bitcointalk members about this and educate further on how to use PGP encryption and programs like Kleopatra.
As we all know the most used OS is Windows and this is not so easy to verify signatures on this system for beginners or not tech-savvy people.

To be honest, I have never checked signatures until today. Already downloaded Kleopatra (a couple of times) and started the process (with the help of a how-to tutorial) but always gave up halfway.
I am sure, I have failed every time because is just not easy to set up PGP and I wasn't needed it very badly, for example, to secure all my BTC holdings. In such circumstances, I would do it for sure, no matter how time-consuming and complicated it could be.

This is not the first time we have problems with malicious links to wallets on the web and here on Bitcointalk. I think I have seen already all kinds of wallet hacks: changed links in quotes, changed links in ANN and bounty threads, posting links from hacked accounts, malicious updates and pop-ups, fake redirects, counterfeit signatures, etc. You name it - I have seen it.

Still, I haven't heard about signatures check using PGP, until a couple of months ago, when the problems with Mycelium wallet exploded. I am very long and frequently here on the forum and from what I have seen, everybody was always using VirusTotal, as a reference tool, to check the wallets for viruses and verify them. In all wallets reviews posted here, I have never seen a single PGP signature check to be made.

Sometimes viruses were found by VirusTotal in wallets and I have written about this, to warn other members. I just couldn't believe, that some of them tried to defend these wallets, vouched they were clean and all found viruses are only "false-positive" and totally not harmful  . In the beginning, there were no viruses in wallets at all, even false-positives, but somebody started misinformation (on purpose), wrote a couple of posts, articles, answers about false-positive matches on VirusTotal. This way changed the opinion of enough members, to bring chaos and total misinformation about false-positives virus warnings in the scanned wallets. In my opinion, it was made on purpose and we have missed it on our watch.

I think, the best way to handle this is an informational campaign, to let people know about the need for PGP signature check and how to do it correctly. There is actually no other way, to be relatively safe when downloading something online, as to do the PGP signature check every single time. We should talk about this and keep repeating on every occasion, especially in the Beginners and scam sections. If we start to do it, I am sure, members will create a lot of additional content about PGP (tutorials, translations, guides to Kleopatra, etc) and the word will keep spreading further kinda automatically.

[o_e_l_e_o]

I am sure I failed every time because is not easy to set up

Have you seen Abdussamad's page of Electrum guides at https://bitcoinelectrum.com/? There is one for how to verify Electrum using Kleopatra (link here) which is pretty straightforward to follow and use. Hopefully it should help you out. Make sure you double check Thomas V's GPG key which appears on that page, to protect yourself in the rare chance that that site is hacked.

I think, the best way to handle this is an informational campaign, to let people know about the need for PGP signature check and how to do it correctly.

There is no way to contact everyone who uses, or intends to use, Electrum - there is no database of users, in-wallet messaging service, or email sign up. The best that can be done is to give clear instructions on the site, which is already done. On the landing page it says to verify the signature, and on the download page there is a box which explains why you should verify signatures, and provides links to various tutorials.

As you say, we can talk about it on the forum, but the majority of threads are ones such as this one - users who have already ignored the instructions, installed malware, lost their coins, and then come to complain. Few users seem to spend any time doing basic due diligence before downloading and install new software.

[wwzsocki]

There is no way to contact everyone who uses, or intends to use, Electrum - there is no database of users, in-wallet messaging service, or email sign up. The best that can be done is to give clear instructions on the site, which is already done. On the landing page it says to verify the signature, and on the download page there is a box which explains why you should verify signatures, and provides links to various tutorials...

I agree with you, but I was not talking only about Electrum wallet but rather had in mind a much bigger picture. What I mean is that we should try to inform people (best we could) to develop a habit, to check every signature of the downloaded file using PGP, especially when it goes to programs with sensible data, but not only of course. The best outcome would be when literally every download will be checked. This is exactly, as it was with VirusTotal, at some point, I started to scan almost all URLs, files, downloads which were new or seemed suspicious to me. So far I was never hacked or don't know about it.

[The Sceptical Chymist]

Before the 3.3.3 update was released, Electrum had never notified users of available updates. You are the one at fault.

I almost fell for this and wasn't aware of how you got notified of Electrum updates.  I got a pop-up to upgrade and proceeded to do so, but my virus protection software said the update had malware on it.  Crazy.  That was like 2 months ago or so.  I assume that's the issue OP had.

Aside from that, Electrum is a great wallet--you just have to be careful about hacking attempts, I guess.  I wouldn't go so far as to blame OP for falling for the trick, as he hadn't used the wallet in some time and had no reason to think he'd get scammed that way. 

you should not even care where you download the binaries from because even if you download them from the official website it still is not safe until you cryptographically verify its digital signature.

And if you ever wonder why the average person won't adopt bitcoin, see the above quote.  Lol.

[bob123]

you should not even care where you download the binaries from because even if you download them from the official website it still is not safe until you cryptographically verify its digital signature.

And if you ever wonder why the average person won't adopt bitcoin, see the above quote.  Lol.

The average person is not ready yet to take responsibility for their own money.
It is the average person who gets involved into credit card fraud because they entered it into a shady site or in an open wifi.

Verifying signature is a mandatory step which takes less than a minute. And with all the guides available and all the messages telling you to verify it, it is quite sad that people still don't do that.

We definitely can have adoption of bitcoin. But first we need some idiot-proof wallets (e.g. hardware wallets embedded into mobile phones with triple checking of everything).
Hardware wallets can already be used by average persons, if they are capable of reading and double checking the address on the display.
It is just that the riskier wallets (desktop-, mobile- and paper wallets) need more tech savy people who know how to protect digital information and how to verify integrity of data.

[o_e_l_e_o]

I agree with you, but I was not talking only about Electrum wallet and rather had in mind a much bigger picture. What I mean is that we should try to inform people (best we could) to develop a habit, to check every signature of the downloaded file using PGP, especially when it goes to programs with sensible data, but not only of course.

I agree that would be ideal, but the chances of 100% of users checking 100% of the time is 0%. People should also always be checking the URL of the page they are entering their details in to, they should be checking the sending address of the email claiming to be from their bank, they should be scanning every file they download for malware, they should be double checking the sending address they just copy pasted, and so forth. Unfortunately, most people don't pay any attention to basic security and safety measures until they have already fallen victim.

It's for these reasons that banks keep implementing more and more security steps you have to go through and hurdles you have to jump to be allowed to spend your own money. People who pay no attention and keep getting scammed make the system worse for the rest of us. As bob123 says, we do have an issue with wallets being too complicated for the average person, whose only tech knowledge is how to post selfies on social media.

[pooya87]

To be honest, I have never checked signatures until today. Already downloaded Kleopatra (a couple of times) and started the process (with the help of a how-to tutorial) but always gave up halfway.
I am sure, I have failed every time because is just not easy to set up PGP and I wasn't needed it very badly, for example, to secure all my BTC holdings. In such circumstances, I would do it for sure, no matter how time-consuming and complicated it could be.

well it is a matter of how you value your own security. sometimes we have to endure the complicated process to reach the high security we need. it doesn't come cheap.
with that said i am a windows user and have only verified signature on windows once. i didn't like Kleopatra either. but i did a workaround, i used Ubuntu. download verify Ubuntu signature and now i have that for easy verification each time i download a new software.

This is not the first time we have problems with malicious links to wallets on the web and here on Bitcointalk.

it is probably the biggest attempt but certainly not the first. there has been a lot more in the past, i myself have reported at least 10 or 12 malicious repositories on github trying to fool people into thinking they are downloading the "real" electrum from the "real repository"!

Still, I haven't heard about signatures check using PGP, until a couple of months ago, ...
I think, the best way to handle this is an informational campaign...

from 2016: https://bitcointalk.org/index.php?topic=1588906.0
a good idea to inform others as much as we can, but still the information is already out there, users must look for it themselves.

[adaseb]

How did the OP get the error message which had the clickable link to the fake Github page? A few months ago most Electrum server nodes started to crash any clients to prevent this from happening.

When he last used Electrum he had a server list of Electrum nodes, it most likely tried to connect to those nodes. 100% of those nodes were good nodes and one of those should of crashed his client before he accidently found a node which was fake to display the message.

[wwzsocki]

...we do have an issue with wallets being too complicated for the average person, whose only tech knowledge is how to post selfies on social media.

I think this the main reason why people don't use PGP encryption more often or even don't check the signatures because is too complicated.

I wonder if there is no improvement possible?

A very easy to use, super user-friendly PGP software that every not tech-savvy person can operate would be a perfect solution.

...i am a windows user and have only verified signature on windows once. i didn't like Kleopatra either...

As I said before and your words confirm my statement that PGP is not used because is too complicated. It starts with download where people are immediately confused because there is a set of programs and to be honest only Kleopatra is needed but an average person doesn't know about this and download the full package (which only makes the confusion even bigger later on). Every next step is more confusing and I am not wondering that almost nobody is using this if they really don't have to.

I think my computer knowledge is much higher as by an average person but still, I find PGP encryption using Kleopatra not easy to do, especially if one has to do the initial setup on his own and never had any experience with PGP or Kleopatra.

Maybe there are other better and more user-friendly PGP programs and I don't know about it?

[Pmalek]

I think this the main reason why people don't use PGP encryption more often or even don't check the signatures because is too complicated.

I wonder if there is no improvement possible?

A very easy to use, super user-friendly PGP software that every not tech-savvy person can operate would be a perfect solution.

If you think about it, it really isn't complicated at all. All you have to do is read the instructions and follow them. The problem is that people are lazy.

Start by downloading GPG4Win and the install it. When installing you only need the Kleopatra component so you can skip the other things included with the software.

The first step mentions you only need Kleopatra so don't even bother installing the rest or if you do, you don't need to use them ever.
Everything else is explained step by step. There are even pictures.

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

[Lucius]

How did the OP get the error message which had the clickable link to the fake Github page? A few months ago most Electrum server nodes started to crash any clients to prevent this from happening.

Electrum is fixed phishing pop-up notification completely in version 3.3.4, and any version under that is still vulnerable to such attacks. Users who still have older versions and are not aware of the danger will be the victims of such attacks for a very long time. Unfortunately, there is no way for such users to be contacted, they have a potential threat on their computer and if they go the wrong way with update, they will lost their coins same as OP.

[wwzsocki]

...it really isn't complicated at all... https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

Looks like very easy setup, which is strange because tutorial which I was using back then, was a lot more complicated and required many more steps.

The only difference is, that I was trying to decrypt a message back then and now this is a signature check for Mycelium wallet.

I will try it for sure, thank you very much for the link.