Hostile Websites. Fake Electrum & BIP39 tools. Phishing Scams targeting Electrum, Ledger & Trezor


Written by:

okay so on today’s episode of crypto
scam which we’re looking at dodgy websites and this one is something that
is just constantly constantly a threat in the crypto space and you see examples
of this on reddit all the time and I’ve got two quick examples here and they
were both essentially the same scammer the same website changed the tool that
was hosting and what we’ve got here is a scammy version of the electrum website
and you can see it here and if I switch from the scary one to the legit one (
you’ll notice they look very very similar on purpose and then there’s a
few small differences specifically the scamming one was talking about versions
of electrum that didn’t quite exist yet and you’ll also notice that the scamming
one removed the text about how learning how to verify GPG signatures it’s gone
but other than that the scammy website had all the same colors all the same
artwork all of that stuff to look very convincing to someone who wouldn’t know
better if we go to the download page on the scamming one and this is a snapshot
of what the electrum website looked like at the time we can see the scammy one
even was offering a slightly newer version of electrum how helpful and they
had all the downloads there with all the signatures but again like the previous
page you know they had simplified some of the language here so they’d still
included a legit signature that is actually the correct one you download
off the website but if you had downloaded them and actually verified
them against the signature you discovered that they contained a lot of
malware they were not authentic downloads at all but other than that the
website was a very convincing look-alike it was also from a different domain and
it was this domain here so and as you can see if
someone wasn’t paying too much attention to what they are clicking on they might
think oh yeah that looks about right and click on through the same scammer was
also hosting in Coleman’s BIP39 tool and if
compared this scammy website to the legitimate Ian Coleman one we can see here
the only real difference on the two pages was that the legit and common one
pointed to his official github repository and the scamming one pointed
to their own server here and gave you a zip file that you had to download rather
than bouncing you off to github though again like a lot of these scams they
still include actual legit links to the proper github repositories in and around
their scamming bits so these scam sites are made to look very very very much
like the real deal and they do catch a lot of people out you see the issue with
this scamming version of the BIP39 tool is that it basically as soon as someone
entered in a mnemonic code in this field here it sent a copy of that along
with the passphrase to the scammer so if someone made the mistake of running this
tool on the internet connect PC it immediately sent their 24 word seed
away to the scammer whereas the official Ian Coleman tool doesn’t do that
both Trezor and Ledger are also often targeted with these scams with people
making websites that look very much like theirs that will say throw an error of
some kind like this one you can see here’s as warning trace or data damage
do not disconnect your device please enter your 24 word seed or something
along those lines so one of the some of the things you can look for with the
scamming websites well firstly one of the things to look at with these is to
see how recently the website was registered now for this electrum scam
site we could see when we looked up its domain registration just on the official
ICANN who is look up we could see that that domain was only registered just in
the last couple of months likewise for this imitation BIP39 tool it was only
registered in the last couple of months and this imitation ledger domain was
only registered just this month so we can see that all three of these scamming
websites they’re all very recent whereas when we look at the official web sites
of say Trezor and ledger we can see that they were both updated and recently
created you know sometime other than just last week or last month with Trezors one dating back to 2014 and with Ledger’s one
being an old domain but still only being updated in 2018 the other thing you look
for is misspelled don’t about domain names or different
domain suffixes so you might have the correctly spell ledger dot and then have
some other different domain suffix so say .net .io .org or you know anything else
like that and the same for Trezor so how can you stay safe firstly I’d suggest
before anything else use a modern browser like if you’re
still using Internet Explorer and you’re dealing in crypto or if you’re using an
out-of-date version of the browser you’re on you really really need to
upgrade I’m using brave the latest version of that and I’m really enjoying
that as a browser and I’ve got a link to that in the description if you’d like to
give it a go another really important way to stay safe is to make sure that
you only run anything that uses your 24 word seed in an air-gapped amnesic
environment so that means a environment where you’re not connected to the
Internet and you’re not just using your normal desktop operating system but
rather something that wipes itself completely when you restart and I’ll put
a link in the description to a video I’ve made about tails Linux that can do
that for you at the very very least if you’re running these sorts of tools that
involve your 24 words seed on your desktop you need to do that with your
network disconnected one of the key parts of this scam was that the scammer
would encourage people to download this tool and run it standalone what people
didn’t realize was that there was code in this scammy version of the web page
that would send your information back to the scammer even if you’re running it
standalone you also need to understand that just having a green padlock so you
know a website that says it’s secure is actually not enough all that means is
the traffic between you and the website you’re talking to is encrypted it
doesn’t actually verify that the person you’re talking to the website you’re
talking to is the right website let alone the official one the other way to
stay safe is to bookmark sites don’t just google them the other thing you
need to do is not just click on links that people send you in emails private
messages or things like that whether it’s through Facebook reddit or whatever
and this one’s a really big one in that often if you post on reddit saying
you’re having trouble with your wallet a whole bunch of scammers will immediately
start sending you links to scammy web sites
encouraging a punch in your 24 words seeds so they can help you and all those
sorts of things so you know don’t just click on links people send you
regardless of who it’s coming from because you know for all you know one of
your friends may have had their social account compromised and it might just be
spamming everyone on their contact list the other thing you can do to stay safe
you can get browser plug-ins like net craft or Cryptonite online identity
protection by Metacert that will actually help to check I guess a larger
list of scamming websites and will help verify that the website you’re on is in
fact the right one though it’s important to understand that these plugins just
like Google Safe Browsing will only keep you safe after someone has reported the
website has been malicious and that service has accepted it as a malicious
website and start to block it and for both of these websites I showed you they
both took about a week from when they first appeared on Reddit to when they
were finally blocked consistently across our range of services so while these
tools can be really helpful they are not going to be something you can rely upon
to keep you safe so taking the time to learn how to verify download signatures
is also a really important thing and I’ll cover that in a future video so
what you can do if you spot a scam well firstly you can report the website to
Google Safe Browsing and that’s really handy in that it will block pretty much
anyone using chrome or brave or a lot of other browsers likewise you can
report the website to Metacert and all of these plugins in chrome actually have
options to report them in there so usually just click on the extensions
icon and you can then report a malicious URL for both netcraft and Metacert the
other thing is that for a domain that you find that scammy you can also send
an email to the abuse contact for their and again your mileage will vary
depending on who is hosting the domain in terms of whether they’ll actually do
anything about it let alone how long it might actually take them to do that
thanks for watching I hope that was helpful just hit subscribe if you’d like
to be kept in the loop about future content I make to help people stay safe
in the crypto space and to recover if they get into trouble or if there’s a
question you’d like some more information about or topic you’d like me
to cover in the future just leave a reply

Leave a Reply

Your email address will not be published. Required fields are marked *