Malicious Fork And Phishing Make Perfect Storm For Electrum Wallet

Malicious Fork And Phishing Make Perfect Storm For Electrum Wallet

It was December 21, 2018, just days before holiday celebrations, when Electrum developers received a screenshot that had been making the rounds in a German chat room. Depicted was an error message one user had received when sending a transaction, but something about the message wasn’t adding up to developers, since it directed users to what was discovered to be a malicious GitHub repository with a malware version of wallet.

According to SomberNight the user who received this error message was likely using a legitimate Electrum client, but connected to a maliciously operated Electrum server when they attempted to broadcast a transaction. When the transaction couldn’t resolve, the client displayed the user the malicious error message, which directed them to install malware that would have prompt users to enter and subsequently steal any private keys.

In order to increase their chances of intercepting transactions from clients the attacker created multiple servers in what is commonly referred to as a sybil attack. The rich text error message users who connected to the malicious servers received is a throwback to bitcoin dev code where it was used to report back errors to users like low incremental fee, missing inputs, or other issues could crop up.

A Persistent Attacker

Once the team caught wind of the attack a patch (3.3.2) was issued to the client but it was not a long term solution, as SomberNight explained: “This is not a true fix, but the more proper fix of using error codes would entail upgrading the whole federated server ecosystem out there…”

Despite the team’s efforts, the patched iteration of their client later succumbed to the attacker again:

Perhaps most troubling is the fact that users who had legitimate Electrum wallet clients were susceptible to the attack thanks to the mixture of maliciously plied code and sybil servers. Users who got the malware message received it inside the Electrum client, lending serious credibility to the attack. In addition, according to SomberNight, although Github indicated that the commit for the maliciously forked version of Electrum wallet had a verified signature, the binaries were certainly based on a modified source which defied decompiling.

A Community Caught Off Guard

The unfortunate situation makes an excellent case for projects to seek out MetaCert for verification of their resources, and for crypto-traders to subscribe to our anti-phishing browser plugin, Cryptonite, to keep them safe from phishing attacks. Simply put, if Electrum wallet users knew to look for MetaCert’s green shield of trust related to web resources, they would have thought twice about downloading the malware version of the wallet because the website’s shield would have remained black. If the shield is black Cryptonite users know better than to simply trust a web resource. Since the final link in the chain involves a phishing web resource, MetaCert’s early warning system is an effective deterrent to these types of attacks.

Published at Thu, 03 Jan 2019 19:59:33 +0000