ㅤ

[Symmetrick]

ㅤ

[o_e_l_e_o]

This vulnerability has been known about for almost 2 years, and has been patched since a few weeks after it was first discovered. It has been widely publicized on every platform you can think of. There is a big warning at the top of the Electrum website about it. If people continue to use old versions, continue to ignore the recommended steps, and continue to follow random links, then there is nothing else that can be done.

The scan is not "evolving in its sophistication". It is literally the exact same scam that has been ongoing for 2 years. Literally nothing has changed.

Are we going to write a new article every time someone falls for it? As is standard for CoinTelegraph (or any other crypto "news" site), this is poorly not-at-all researched clickbait trash. Next up from CoinTelegraph, a brand new scam involving a Nigerian Prince!

[ranochigo]

What's wrong with that? Large wallet thefts do not happen every day.

Hacks happens all the time due to the user's negligence (though in this case is due to social engineering). As every news site, the news pops up every time someone gets scammed. It's a known vulnerability and news site sensationalize every incident all the time.

For example, in the Scam Accusations section, there are thousands of cases of the same Ponzi scheme offering unrealistic interest rates on deposits. The scheme in each case is the same, only the wrapper in the form of the name of the office is different. Nevertheless, all Ponzi cases are covered, even the one-day Ponzi.

I don't personally think this is anything new though. Those threads are created because they are different from the ponzis before that and there  is actually something to investigate. As with this, you can't really catch the perpetrator and it is not really of any use for them to repeat this over and over again.

As with the response by Electrum, its just a testament to how Cointelegraph writes article without much research.

[ranochigo]

You can give examples of at least 5 similar cases of phishing scam through these wallets at least in the last six months? It's just that it is presented here as if reports of such large hacks come out almost every day.

Here:
https://bitcointalk.org/index.php?topic=5267471.0
https://bitcointalk.org/index.php?topic=5262152.0
https://bitcointalk.org/index.php?topic=5265239.0

And also the exact same incident with a long discussion already:
https://bitcointalk.org/index.php?topic=5272582.0
https://bitcointalk.org/index.php?topic=5272477.0
I'm fairly sure there's more buried in Bitcoin Discussion and Technical Support but hopefully that's enough. I don't think it's necessary if the same exact phishing scam gets mentioned over and over again.

[JohnBitCo]

Are we going to write a new article every time someone falls for it? As is standard for CoinTelegraph (or any other crypto "news" site), this is poorly not-at-all researched clickbait trash. Next up from CoinTelegraph, a brand new scam involving a Nigerian Prince!

What's wrong with that? Large wallet thefts do not happen every day.

For example, in the Scam Accusations section, there are thousands of cases of the same Ponzi scheme offering unrealistic interest rates on deposits. The scheme in each case is the same, only the wrapper in the form of the name of the office is different. Nevertheless, all Ponzi cases are covered, even the one-day Ponzi.

And here the same phishing attack is described, only in the second case the address on Binance also appeared.

There is no harm is telling about each and every scam we come across. It will just increase the awareness and if people are saved from it, the purpose is fulfilled. Sometime people forget and repeat the same mistakes, if they see these posts often they will not fall victim of these scams and remain more vigilant.

[o_e_l_e_o]

What's wrong with that?

Because the CoinTelegraph writer has sensationalized it in to something it isn't, as well as filling the article with inaccuracies and falsehoods.

Examples:

Lou further stated that this appears to be a phishing scam where the user was forced to install an update

It doesn't "appear" to be anything. It is fully known exactly what this bug is. And users aren't "forced" to install everything. They are simply shown a link. It is the users' own (negligent) actions that result in them clicking on that link, downloading the software it leads to, installing the software, and opening their wallet with it, all without verifying the download.

Phishing scams continue to grow in numbers and through the time they have evolved in their sophistication

As I said above, this scam is neither growing nor evolving. It is exactly the same scam as it was 2 years ago.

On downloading the malicious old version of the software he attempted to transfer 1 BTC. He was then prompted for updating the security information which triggered an update and finally led to the scam.

Wrong again. There is nothing "malicious" about old versions of Electrum. They simply contain a bug which allows servers to display an arbitrary message to the user. That's it. It doesn't "trigger" an update at all.

A user losing 1,400 BTC is perhaps worthy of a discussion due to it being a significant amount. Turning this bug in to something it isn't for clickbait reasons is not.

[HCP]

On downloading the malicious old version of the software he attempted to transfer 1 BTC. He was then prompted for updating the security information which triggered an update and finally led to the scam.

Wrong again. There is nothing "malicious" about old versions of Electrum. They simply contain a bug which allows servers to display an arbitrary message to the user. That's it. It doesn't "trigger" an update at all.

I'm glad someone else noticed these errors... That CoinTelegraph article (like a lot of online media these days), is really just sensationalism designed to garner clicks/views for selling ads etc.

If I had a wallet with USD$14mil in it... I sure as hell wouldn't be downloading an "old" version... and I sure as hell wouldn't be attempting to run it on an online machine... hell, I'd probably be concerned about opening a wallet that had US$1400 in it in an "old" version!

I simply don't understand why people seem to be so "casual" with some aspects of cryptocurrency? How do you not at least do some research into the current status of the wallet and/or not go to the official site for your wallet and download the latest version?

"Be Your Own Bank" (AND it's security department!)

[pooya87]

Electrum phishing scams have been prevalent for over two years.

i think the third point in that tweet was vague. the phishing attacks have been known for a much longer time than 2018. they have been happening nearly as long as Electrum wallet existed. it was and still is performed through disguised websites that look similar to Electrum's real website containing a malicious software. and people have been losing money to this scheme all that long.
the specific way of performing this attack which was through the client was known from 2018.

[o_e_l_e_o]

How do you not at least do some research into the current status of the wallet and/or not go to the official site for your wallet and download the latest version?

The user who lost 1,400 BTC said that he had not touched his Electrum wallet in two years. So at no point during those two years did he pay any attention to Electrum, visit the official site and see the banner at the top warning about this, visit the subreddit and see the stickied thread at the top warning about this, read this forum/twitter/reddit/medium/any other platform where this bug has been widely discussed, visit the GitHub, or keep in the slightest bit up to date about the software holding 1,400 BTC.

It's like just leaving your home to go travel for 2 years and expecting it to be in perfect condition when you return, and then acting surprised when you come back and all your utilities have been cut off and there are squatters living in it.

He really has no one to blame here but himself.

[bencoins]

I just want to add that I also just got done by this scam and I find it annoying from all those who say it's the users fault.  I can't understand why there is server side broadcast messaging built into the wallet, it was a massive oversite on Electrum's behalf.

Those who say it's the users fault for not updating their wallet. Well, we thought we we're updating our wallet from a message that came from within the software which wouldn't let us transact without updating.

Based on the wallet I got done by bc1qjg4ax2h7gff0wszjq0jzmv2gwzgtfluzrelf59 there are a lot of us hodling and not on the crypto news every day.  It took me years to mine my coin, now BenCoins no more

Rant over.  Feel free to donate 1AnuBx9m1rZf48kkwmevNR9c9Sqk7sx3nh

[HCP]

I just want to add that I also just got done by this scam and I find it annoying from all those who say it's the users fault.

Firstly, sorry for your loss.

I can't understand why there is server side broadcast messaging built into the wallet, it was a massive oversite on Electrum's behalf.

There wasn't/isn't "server side broadcast messaging". The "bad" servers are simply sending an error response back to the client when it attempts to broadcast a transaction. The flaw is that the error response was printed verbatim and "rich text" was enabled, allowing URLs to be embedded.

Those who say it's the users fault for not updating their wallet. Well, we thought we we're updating our wallet from a message that came from within the software which wouldn't let us transact without updating.

It's not your fault for not updating... it's your fault for not verifying the update (and, to a lesser extent, not downloading from the official download site). If you have bothered to verify the digital signature of the downloaded installer, you would not have fallen victim to this scam.

Again, sorry for your loss.

[Lucius]

I just want to add that I also just got done by this scam and I find it annoying from all those who say it's the users fault.  I can't understand why there is server side broadcast messaging built into the wallet, it was a massive oversite on Electrum's behalf.

I have never claimed that only the users are to blame for this, there is also a part of the responsibility on those who did not discover in time that something like this is possible. But you have to understand that from a technical point of view, each user has verification methods at their disposal to check whether the program they are installing (in this case Electrum) is legitimate or fake. The problem is that you and probably thousands of others have blindly believed that a legitimate program cannot deceive its users in this way - and it turned out just the opposite.

I initially used Electrum and was extremely careful not to take any wrong step which would result in 0 BTC on my balance, but I invested in a hardware wallet on time and got rid of the unnecessary risk, because if I hadn't done it I might have been one more victim in a row.

I am sorry for your and other losses, but being your own bank is a big responsibility and above all it requires education and knowledge. Without it, you are a very easy target for any hacker who wants to get easy money.

[bob123]

I can't understand why there is server side broadcast messaging built into the wallet, it was a massive oversite on Electrum's behalf.

It is just a mechanism for the server to report back errors which got exploited.
Nothing critical at all.

Those who say it's the users fault for not updating their wallet. Well, we thought we we're updating our wallet from a message that came from within the software which wouldn't let us transact without updating.
Based on the wallet I got done by bc1qjg4ax2h7gff0wszjq0jzmv2gwzgtfluzrelf59 there are a lot of us hodling and not on the crypto news every day.

Well, the attitude simply is wrong.
You (and many other people) were simply buying bitcoin to get rich, to ride the wave, whatever. But you didn't really address the topic of secure storage etc.
You didn't care about secure storage / usage / common sense in IT.

I understand that it can be quite a hassle to verify each download and to actually look at checksums, etc.
But if you are completely relying on your data security for storing a form of money, you actually need to deal with that topic. And verifying the signature and downloading from reputable sources only, is a must.

Feel free to donate

No.
You'd lose the money again anyway.

Start reading on how to download from reputable sources, how to verify downloads and maybe even on how to keep your PC secure and clean.

[dkbit98]

What would happen in case if Electrum is connected with Ledger hardware wallet?
Can attackers still send fake Electrum notification for update and get coins from Ledger also?
I think this would be much harder because of manual confirmation on Ledger, but I am not 100% sure.

[Lucius]

It makes no difference whether someone uses only Electrum as a desktop wallet or uses it in combination with a hardware wallet - in both cases Electrum communicates with servers that can send a phishing message (only in case Electrum is older than 3.3.4). The difference is that in the case of a hardware wallet, the hacker will not be able to make the transaction just like that, because it needs to be confirmed on the hardware device itself.

This is exactly one of the biggest benefits provided by such devices, complete isolation of private keys and every transaction regardless of the user interface.

[HCP]

Can attackers still send fake Electrum notification for update and get coins from Ledger also?

They can still send the notification for a fake update (assuming you're using an old < 3.3.4 version of Electrum) as that is not dependent on the hardware wallet functionality... but they cannot automatically create and broadcast a transaction that steals your coins and/or seed as per the "standard" wallet attack... as your wallet file has no seed, and cannot sign transactions without it being confirmed on the hardware wallet device.

[pooya87]

in both cases Electrum communicates with servers that can send a phishing message (only in case Electrum is older than 3.3.4).

the malicious Electrum nodes can send the malicious message to any Electrum client with any version, and the clients will receive it. the only difference is that the older versions would simply show the exact message they receive to the user while the newer ones only show their own hard-coded messages after matching the received message with their list.

The difference is that in the case of a hardware wallet, the hacker will not be able to make the transaction just like that, because it needs to be confirmed on the hardware device itself.

not unless the user creates the transaction and signs it using their hardware wallet! we are talking about people who downloaded the software from a fake site and were lazy to verify its signature. it is safe to assume at least many of them if not all would also be lazy enough to not check what they are signing with their hardware wallet.