cluelessperson
commented
5 years ago A malicious server showed a message that gave you a link to a malware website.
Closed djhoangwar closed 5 years ago
cluelessperson
commented
5 years ago A malicious server showed a message that gave you a link to a malware website.
andronoob
commented
5 years ago 3.3.4 is obviously a malware, but AFAIK 3.3.3 has already fixed the phishing issue.
Though it doesn't seem to have a chance to recover your stolen fund, if you are still willing to help the community identify the malware, please post the SHA256 hash of your electrum-3.3.3/3.3.4.exe . You may use 7-zip to calculate the hash.
andronoob
commented
5 years ago There's a serious bug in old versions of Electrum: a malicious server could return arbitrary error/warning message to the user. This was exploited by some phishers to trick user into downloading fake "update". NOTE: Electrum servers are not controlled by the devs, anyone may set up their own server to serve people.
ecdsa
commented
5 years ago sorry for your loss. you have been victim of a phishing attack, see issue #4968
ValdikSS
commented
5 years ago @djhoangwar, Electrum is a "lite" Bitcoin wallet, which does not download full blockchain and keep it locally, but relies on a servers with full blockchain. Such servers may be set up and operated by anyone, including me and you, and they would be automatically used in Electrum. When you send money, if the transaction can't be performed, server may respond with text error message with the reason of that.
During last month, some malicious servers appear, which do not accept money transactions and only return bogus error message. This error message states that your client is outdated and you should download a new, updated one. This "updated" client is not an official Electrum client but one provided by a hacker (by this server operator), designed to stole your money and probably to perform further malicious activity on your computer (e.g. stole your browser passwords and other private data). It's uploaded to the website unrelated to Electrum official website or github page, but it is designed to look very close to original one, to fool you to download the file and install it. Unfortunately, you've installed such client, and now you lost your money. There's no way to return your money. Electrum developers have nothing to do with this malicious "updated" versions. Official Electrum page https://electrum.org/ have the following text on top:
Warning: Versions of Electrum older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. Do not download software updates from another source than electrum.org. In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.
Just to be clear, once again: you've installed a virus instead of original Electrum client, uninstall it or better, reinstall the whole operating system because nobody has investigated if the virus perform other actions other than money stealing. And you can't return your money since it Bitcoin, a system built without any party which should be trusted, like banks. You can only monitor further transactions from the address where your money go, and try to determine the person behind that.
djhoangwar
commented
5 years ago But this scam message showed from official app 3.3.3 Its bullshit
andronoob
commented
5 years ago @djhoangwar If you are willing to help the community analyze the attack, you may upload your Electrum installer exe/zip file. Simply drag & drop here, please.
anynamehere
commented
5 years ago @andronoob Here is the compromised Mac version that got me: https://drive.google.com/open?id=1_Kp5F5eypIAKzkgTf8pnitwDdDxr8yds
I want to know if my whole system has been compromised.
gits7r
commented
5 years ago We are sorry for this, but this message is confusing and too alarming and causes panic among users.
Electrum doesn't have a bug that can be exploited, it cannot be controlled remotely, it has no open vulnerability that can cause loss without user's action. Electrum was no more "hacked" or "exploited" than gmail, yahoo, outlook and all financial institutions (banks, etc.) as well as various other online services are every day.
Because of how peer discovery works in Electrum, there is not much we can do for old versions, since we can't prevent them with 100% success rate to run into a malicious server. This is because, unlike other lightweight wallets, Electrum decided to not have only few harcoded servers that will be responsible for the privacy of all users, and act as single point of failure, but instead allow users to run their own servers or use servers that they trust. Electrum takes user privacy very seriously, which is why proper peer to peer discovery without central authority arbitration was adopted, instead of anything else. This way an attacker cannot keep an Electrum user offline, or isolate him, or pull various attacks.
While the entire Electrum team is doing absolutely everything possible to protect the users, such as:
patch Electrum wallet to not display rich text, and don't allow arbitrary messages, only strict codes;
patch ElectrumX server implementation to detect sybil (malicious servers that send the phishing message) and not further broadcast them to clients;
implement blacklist logic to maintain malicious servers outside the view of the clients;
heavily advertise on social, website and all communication forms existent with the users that they should always run the latest version and always only install from the official source (electrum.org), accessed over secure protocol (https) with prior verifications of the PGP signature;
...the sad truth is that nothing can be truly done to protect an user from its own actions. If you are willing to install Electrum from a different source, when the official is electrum.org, and you don't verify signatures, even with the latest patch that does not display rich text you are still vulnerable as you can receive an email or text message with the same phishing message, and install a backdoored Electrum.
After all, when you install and use security software and finances software such as Electrum the first rule is to make sure you are running a version that has no discovered vulnerabilities and your build is signed and genuine.
I know this is not pleasant to read after loss of funds, and we are sorry, but this is the sad truth. This is not a vulnerability in Electrum, so we are going to respectfully close such issues / tickets on github because we are already doing everything possible to limit the effects of phishing attacks, and such issues do not provide any new information.
andronoob
commented
5 years ago @anynamehere Sorry, I'm not a malware analyst, so I can't ensure that this fake Electrum didn't install other malwares on your computer. You'd better reinstall your operating system (macOS).
However, I still tried to decompile it, then I made a diff vs official Electrum 3.2.3. You may find the bitcoin addresses used by the attacker.
Notes:
1.The whole fake-3.3.4-13b57883/PyQt5 subdirectory was ignored;
2.Binary files were ignored;
3.Files which only exist in official Electrum were ignored.
electrum-phishing-vs-3.2.3-ignore_PyQt5-ignore_binaries.diff.zip
commontree
commented
5 years ago We are sorry for this, but this message is confusing and too alarming and causes panic among users.
Electrum doesn't have a bug that can be exploited, it cannot be controlled remotely, it has no open vulnerability that can cause loss without user's action. Electrum was no more "hacked" or "exploited" than gmail, yahoo, outlook and all financial institutions (banks, etc.) as well as various other online services are every day.
Because of how peer discovery works in Electrum, there is not much we can do for old versions, since we can't prevent them with 100% success rate to run into a malicious server. This is because, unlike other lightweight wallets, Electrum decided to not have only few harcoded servers that will be responsible for the privacy of all users, and act as single point of failure, but instead allow users to run their own servers or use servers that they trust. Electrum takes user privacy very seriously, which is why proper peer to peer discovery without central authority arbitration was adopted, instead of anything else. This way an attacker cannot keep an Electrum user offline, or isolate him, or pull various attacks.
While the entire Electrum team is doing absolutely everything possible to protect the users, such as:
- patch Electrum wallet to not display rich text, and don't allow arbitrary messages, only strict codes;
- patch ElectrumX server implementation to detect sybil (malicious servers that send the phishing message) and not further broadcast them to clients;
- implement blacklist logic to maintain malicious servers outside the view of the clients;
- heavily advertise on social, website and all communication forms existent with the users that they should always run the latest version and always only install from the official source (electrum.org), accessed over secure protocol (https) with prior verifications of the PGP signature;
...the sad truth is that nothing can be truly done to protect an user from its own actions. If you are willing to install Electrum from a different source, when the official is electrum.org, and you don't verify signatures, even with the latest patch that does not display rich text you are still vulnerable as you can receive an email or text message with the same phishing message, and install a backdoored Electrum.
After all, when you install and use security software and finances software such as Electrum the first rule is to make sure you are running a version that has no discovered vulnerabilities and your build is signed and genuine.
I know this is not pleasant to read after loss of funds, and we are sorry, but this is the sad truth. This is not a vulnerability in Electrum, so we are going to respectfully close such issues / tickets on github because we are already doing everything possible to limit the effects of phishing attacks, and such issues do not provide any new information.
OK this is bullshit - and for electrum to take no responsibitliy is weak to say the least. First off the phishing attack is initiated in Electrum not from any other software. There is a pop up that comes up "in electrum" not anywhere else. Just got screwed fro $600
ValdikSS
commented
5 years ago First off the phishing attack is initiated in Electrum not from any other software. There is a pop up that comes up "in electrum" not anywhere else.
This is no different when you download a virus using internet browser. Or Bittorrent client. Neither internet browser developer nor Bittorrent client developer is responsible for that. I agree that this may be confusing as it is assumed that Bitcoin client use developer's infrastructure, but once you learn how Electrum work, you'll understand it. And the most important, you need to read licensing terms you've accepted to use this software. It comes with absolutely no warranty. If you disagree with it, you shouldn't use it in the first place.
fukuro-kun
commented
5 years ago @andronoob I found at least 380 interesting btc-addresses in your file. Do you have the URI of the provided / analyzed malware? Wich steps did you perform to decompile malware?
4oo4
commented
5 years ago
Electrum 3.3.3 show me a message to update, go to update 3.3.4 and lose all money ~12 BTC ~ $42k
PROBLEM IS THE SCAM UPDATE SHOW ME ON 3.3.3 OFFICIAL !!!!
what the fuck going on with electrum ? i feel like crazy now, my wife, my son going to dead because electrum ??? WTFFFFFCKCKKCKCKK
https://imgur.com/a/vtFSx6G