torsten
Team KeePassXC🚨 Warning: New FAKE website offering FAKE KeePassXC downloads! Do not fall for it. The correct domain is https://keepassxc.org without hypens!
The website is asking for your email address to access the downloads. We never ask for your email address. Do not enter your data there, it's a phishing attempt.
Eric@keepassxc
Methinks you should go buy as many typosquat domains as are available before copycats get to them.
Methinks you should go buy as many typosquat domains as are available before copycats get to them.
@eroc1990 We own several already, but it's a losing game and a pretty expensive one at that.
David@keepassxc @eroc1990
Yeah, that sounds like Whac-a-mole.
Anything else that can be done about it?
I just reported it to DuckDuckgo, it is the third result for "keepass xc" there currently -.-
Jani Tikkanen@dreua
Enter lots of fake emails to them? Possibly to domain that tarpits every access or something else that slows down them..
@keepassxc @eroc1990
Enter lots of fake emails to them? Possibly to domain that tarpits every access or something else that slows down them..
@keepassxc @eroc1990
saxnot
Kaito@eroc1990 @keepassxc 'good' point but people shouldn't have to do that...
Insignificant NagusI installed keepassxc yesterday in a hurry, normally I do pay a lot of attention to the URL, in hindsight not so sure...
So if I didn't have to enter an email, I should have chosen the right one? Or at least let's say, not this particular one?
Is the download malware that leaks the pw datatbase in plain text? Is the signature known to av programs?
Linus ⓥ@insignificant_nagus
I guess you're using M$ Windows (otherwise you would have probably used a package manager).
If you still got the .MSI/.zip file, you can check the signature of the file like this:
https://keepassxc.org/verifying-signatures
(You can scroll all the way down for a simple hash sum check using PowerShell)
If it does match, your installer was legit :)
@keepassxc
I guess you're using M$ Windows (otherwise you would have probably used a package manager).
If you still got the .MSI/.zip file, you can check the signature of the file like this:
https://keepassxc.org/verifying-signatures
(You can scroll all the way down for a simple hash sum check using PowerShell)
If it does match, your installer was legit :)
@keepassxc
Vovan
Ави Кафазен
Szymon Nowicki@keepassxc sent email to [email protected] and cloudflare abuse (NS records)
@sn Thanks. I've reported it to Microsoft, Google, Netcraft, and other services as well.
𝕾𝖆𝖒𝖇𝖆 λ@keepassxc also reported to Dynadot. Maybe you Guys should claim similar Domains like this to prevent this BS.
@gremlin We already own a lot of variants with different top-level domains and redirect them to keepassxc.org. The only one we couldn't get is .com, because someone snatched it already and has since put it on auction after it was put on block lists. But we cannot also register all possible combinations with hyphens and typos.
@keepassxc I mean typos not but something like keepass-xc/com should have been in your mind. But yeah, hopefully DynoDot nukes them soon
@gremlin There's an infinite number of possible typos like that. Registering them all is pretty futile and expensive.
@keepassxc as said, at least common Domains with "-" are with .com, .net and .org like 30$ a year.
@gremlin And then multiply it by 10 different TLDs.
@keepassxc If I want to secure my Shit I do it, you host a Software of Security. Like what are you trying to tell me? That the security of your Users isn't worth it?
@gremlin As I said, we already own quite a few different domains. We're a small open source project. We get a healthy amount of donations, but we cannot spend $2000 a year on domains, just so someone can register yet another one we haven't registered yet.
@keepassxc If you are even close to over 200-300€ for your Domains per year you do something really wrong. I guess you should check-out https://tldes.com and find a Register that does not Rip the Shit out of you (I pay around 190€ for 30 Domains with Common Extensions)
@gremlin Six different variants with hyphens, kee, key -pw etc. times 10 TLDs times $30 is $1800. But if you want to help, keepassxc[.]com is on auction for a mere $50,000.
You need:
KeepassXC/com
KeepassXC/org
KeepassXC/net
maybe KeepassXC/pw as a "Joke Domain" and the same with "-". Since .com is currently taken it is one less.
I calculate now with 6 Domains, where we end up at around 70$ a year, if we add uncommon extensions or Country specific (in this Case I choose: .info, .biz and .eu) we are still at around 92$ a year. These are not even 1,2K$ a year. Idk what "weird" or uncommon Domains you own. But a basic Brand Shield with these should be enough. And sorry, I do not spend Money at Domain-Suckers/Re-Sellers, I sue the Shit out of them if they infringe my Brand.
@gremlin com is taken, see above. We own net, org, eu, de, us, and some others. Most of these TLDs are $10 the first year and then $15-30 for every following year unless you choose a different registrar for each. app and dev are among the most expensive ones. And then you still have to multiply all those by the number of typosquats you want to catch, which are easily 6-10 for each one.
@keepassxc It's not like I do not get your Point. Don't get me wrong. But "-" are not special and should always be considered before getting other specific Domains like .eu, .us or .de. But yeah, I can not change it. Maybe in the near future you own these days to make it more safe for your users.
@gremlin The reason we started registering all those other TLDs is exactly because someone took .com and then used it to distribute fake downloads. We got the domain blocklisted quickly, so they put it up for sale. It's off the blocklist again now, but we haven't been able to acquire it and I don't think they'll ever let go of it unless we pay their scalper price.
@keepassxc I mean idk from where you are but in the most cases it is enough to send a "friendly" letter from a lawyer to the Register and it is done. Nobody pays 50K for a Domain and these Scums of Re-Sellers know this. As said, maybe get a legal consultation of the Situation, I am not a lawyer I can only represent my Experience with these scummy Companies in the Past.
@gremlin Of course they want to auction it off. The 50k is just the "buy now, stupid" price. But we're not a registered legal trademark (yet). Otherwise we'd have done that a long time ago.
@keepassxc Welp okay, this is also a big point. But yeah GoDaddy is a Pain in the Ass. I really hope you get this shit under Control. (If no one else does it within the next week or so we can talk about me presenting the keepass-xc/net/org Domain for you guys as a little "gift". But rn I am on a business trip and really have no time to register/organize this)
@gremlin I would expect the domain to be put on the safe browsing list for a while and then they'll either drop it or park it. We don't need someone to gift us those domains (unless of course someone has the contacts or measures to transfer keepassxc[.]com to us). We can always buy a few more ourselves, but there will always be more.
@keepassxc as said, just an Offer. I once won against GDaddy with a lawyer, but this as said needs legal consulting. I guess you already contacted GDaddy about the Situation? I mean they will def. not Gift it to you but maybe they are a bit more calm when it comes to Non-Commercial Orgas
@gremlin Maybe I'll try again some time. I guess in the meantime I'll spend another €320 on 36 months of more typoquat domains. Fun fact: I checked whether IONOS had a better offer than Godaddy. They did for the domains themselves. But in addition they wanted a fixed one-time fee of just over €1800 for "premium domains". Ridiculous.
The Doctor@gremlin @keepassxc You completely missed the point, there. Scroll back a few posts. Please.
Ashton
Gustavo@keepassxc Don't worry about that: I'm sure most people would agree with you that doing something like that is overkill for any FOSS project. If you were a per-profit company, sure, but it just makes no sense requiring that from you. Their expectations make absolutely zero sense for me. Donation money should be spent on better things than extra domains.
Camden@gremlin @keepassxc Why are you being so authoritative 😅? I get that you're trying to be helpful, but you're coming off very rude. Please be kind.
I agree with the Keepass admin that it probably isn't the best idea to spend all the donation funds on domains.
Wolfram Rösler@gremlin @keepassxc Feel free to purchase and maintain them as a donation to the #KeePassXC project then.
@wolfram_roesler @keepassxc You can't make up Boomer names like that, Wolfram; I donate enough to the FOSS community with my server performance, so don't worry about that.
But I'd love to return the favor. The KeepassXC team would be happy if you did, especially if you use their software. 😇
@gremlin @keepassxc Not sure what you mean with Boomer names. If there's any sarcasm involved then I've probably missed it. Thanks for your server performance anyway. It's not my style to brag about my contributions but if you're using KeePassXC then you've seen them.
Paradox
Regendans@nestab @keepassxc The p.s. I use VoidLinux and the b.t.w. I use ArchLinux folks are awake now ? 😇
Harvest Malletus@keepassxc Jeeze people. Team KeePassXC is trying the best they can. It's absurd to think that a FREE project can just go out and buy $100,000 worth of typo domains. Do a little research into what you're clicking. I for one applaud the effort KeePassXC is making to try and calm it down, but give them a little slack.
smalldog club ☑️@keepassxc this reminds me to send a donation. Not to buy domains, but just because...
keepassxc is a fave.
@smalldog Thanks!
Pacman@keepassxc It's curious that this risk is not mentioned on the KeypassXC.org website.
John Maxwell@keepassxc - Well, if this one strips out the AI contributions...
ohir@keepassxc
You can take over malicious domain quite easy.
Then you really should take your product to the typo-safe domain name ASAP. Possibly leveraging current publicity.
Neputunu@keepassxc huh. cool.
TheTearMiserAlways Check Your Sources! 5 mins of reasearch saves a lifetime of chasing down your own accounts!
@TheTearMiser Care to explain?
We are on the same team. I'm reiterating your point. One "-" and because the user didn't check to be sure the link was right... all the hard work you guys put into these apps goes to immediate waste.
I apprciate this post from you helping users do that for your product.
Jeroen Gui 
Takedown completed.
If similar sites appear in the future, don’t hesitate to reach out! Always happy to support FOSS projects in protecting their users.
You can also easily report new cases here: https://justguard.be/report
@jeroengui Not quite a takedown, but Cloudflare forwarded our request. The actual site is hosted at Hetzner.
Of course, there’s no full takedown until the domain is placed on client/server hold. That's correct!
That said, in practice, I rarely see any recovery once Cloudflare puts up a warning page. It’s usually easier for the threat actor to register a new domain.
The good news is that this domain has already propagated across most major AV vendors, and I’ve shared both the domain indicators and the associated malware samples with several partners and information-sharing networks (Quad9, GCA, GSE, etc.). That should help ensure any residual risk is blocked at multiple layers.
I'll set up some monitoring for both this domain and any future attempts to impersonate KeePassXC.
Erik van Straten@jeroengui : I very much appreciate your work, but, as a bullet proof proxy service, #CloudflareIsEvil - they're complicit to cybercrime.
Cloudflare warns for malware/phishing for a specific *URL*, not the domain.
A minor change in the adds (or a forwarding site if that is what these scammers use) would bypass Cloudflare's crap measure.
I never saw a malware/phishing warning while opening:
https:⧸⧸keepass-xc.com/index.php
Note: I understand that blocking https:⧸⧸sites.google.com for a single malicious page would be problematic, but that's rather due to the fact that Google Sites sucks.
@ErikvanStraten @jeroengui They forwarded our abuse report to the hoster of the actual page. We’ll see.
Also everyone, if you must visit the page, at least do it in a private window or clear your history afterwards, so you don’t accidentally open it again later!