search

pooler / electrum-ltc

Electrum-LTC Litecoin wallet
https://electrum-ltc.org
MIT License
194 stars 100 forks source link

electrum-ltc.bysh.me:50001 is a phishing site? #294

Closed mateohhh closed 2 years ago

mateohhh commented 2 years ago

So I downloaded the new portable version from http://electrum-ltc.org (not the fake site), verified the signature with GPG, and upon running it, BitDefender started giving me warnings about "electrum-ltc.bysh.me" being blocked for phishing attempts.

I've searched about and have found many posts asking about this, but zero answers.

The only other reference I've found is this post: https://github.com/dreamsxin/electrum-ltc/blob/master/electrum-ltc.conf.sample where someone provides that server as the default option in a sample file.

Can anyone comment knowledgeably about this? Is this actually a threat, or a false positive inherent to the electrum-ltc network?

The reported instances of LTC disappearing from wallets after installing electrum-ltc do not invoke confidence at all. Some seem fairly recent.

If this is a problem, is there a way to remove that server from the possible ones to connect to? I found where I can choose servers manually on first start up, but no way to disable any that could be problematic. Even if I have manually chosen a different server, it still seems to try connecting to the suspicious one, Bitdefender warnings and all... although that may be because I have not yet gone through the full process of creating a wallet, I canceled out when this message kept being displayed to me. Maybe I just need to complete that process to make a server change permanent, but I'm not inclined to risk it just yet.

pooler commented 2 years ago

It's not a phishing site. If you run a DNS query, you will see that electrum-ltc.bysh.me points to the same server as electrum-ltc.org, the official website.

The reported instances of LTC disappearing from wallets after installing electrum-ltc do not invoke confidence at all.

Keep in mind that there are only so many things a malicious server can do. It can lie about your balance by hiding past transactions. It can record which addresses you own. It can refuse to relay your transactions. However, it cannot steal your coins, as private keys are never sent to the server, and the server has no way of initiating a transaction for you.

mateohhh commented 2 years ago

Thank you for the explanation and for suggesting the DNS verification route. Is there a reason why only that address would be flagged by BitDefender while multiple nodes are connected?

From: pooler @.> Sent: Monday, June 20, 2022 10:23:55 PM To: pooler/electrum-ltc @.> Cc: mateohhh @.>; Author @.> Subject: Re: [pooler/electrum-ltc] electrum-ltc.bysh.me:50001 is a phishing site? (Issue #294)

Closed #294https://github.com/pooler/electrum-ltc/issues/294 as completed.

— Reply to this email directly, view it on GitHubhttps://github.com/pooler/electrum-ltc/issues/294#event-6845237295, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHBF42H3SHADLQ7JHRM52VDVQF3ZXANCNFSM5ZKR7AHA. You are receiving this because you authored the thread.Message ID: @.***>

pooler commented 2 years ago

I'm afraid I have no idea why BitDefender would flag this address. It might be because someone tried to access it as a website and they thought it was a phishing site, so they reported it.

mateohhh commented 2 years ago

Again, thank you.

Since, as pointed out, that address resolves to the same IP as electrum-ltc.org, it makes me wonder if someone at one time meant to report the fake site that was distributing the hacked version, and accidentally reported the real one instead… or possibly the people behind the fake site (which seems to still be online) reported the real one to cause confusion like this.

From: pooler @.> Sent: Monday, June 20, 2022 11:17:23 PM To: pooler/electrum-ltc @.> Cc: mateohhh @.>; Author @.> Subject: Re: [pooler/electrum-ltc] electrum-ltc.bysh.me:50001 is a phishing site? (Issue #294)

I'm afraid I have no idea why BitDefender would flag this address. It might be because someone tried to access it as a website and they thought it was a phishing site, so they reported it.

— Reply to this email directly, view it on GitHubhttps://github.com/pooler/electrum-ltc/issues/294#issuecomment-1161484118, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHBF42DQUHAYSHN3T7YCYRDVQGCCHANCNFSM5ZKR7AHA. You are receiving this because you authored the thread.Message ID: @.***>