Back to the list

Phisher Uses Electrum Wallet To Push Fake Software Update


unhashed.com 28 December 2018 17:09, UTC
Reading time: ~3 m

A major vulnerability has been exposed in Electrum, a leading Bitcoin wallet with several forks that are compatible with other cryptocurrencies. This is the second Electrum bug in a single year, and the crypto community is now debating the merits of the wallet. How can the phishing attack be avoided, and is the Electrum wallet still secure?

How the Attack Works

An issue posted to Electrum’s GitHub page explains the nature of the bug. Essentially, many Electrum users connect to a remote node when they use their wallet. Anyone who hosts one of these remote nodes is able to send an error message and disguise it as an update notification. This message urges users to install a new version of Electrum, as seen below:

The wallet repository linked in the above image looks extremely authentic, but it is in fact fake. Although the repository has since been flagged and deleted, it is possible that another fake wallet could emerge elsewhere, allowing the phishing campaign to persist.

So far, Electrum’s developers have only mitigated the problem: the current fix removes the capacity for error messages to contain rich text and hyperlinks. This means that it will be harder for phishers to convince users to follow an unsafe link. This is merely a temporary patch; a more thorough solution will be introduced in the future.

Suggested Reading Learn about the most secure crypto wallets.

The Problem With Phishing

Crypto wallets are a popular target for phishers. Nearly identical wallets can be built easily, allowing phishers to steal private keys from those who download the fake software. Once a fake wallet has been created, a phisher only needs to distribute it — usually through app stores, GitHub, or a custom website. Sometimes the fake wallet will be publicized on social media as well.

Several prominent wallets have been targeted this way: MyEtherWallet, MetaMask, OWallet, Jaxx, and many others have all been targeted by phishers over the past year. However, these phishing campaigns were carried out on third-party platforms and communication channels, while Electrum’s phishing campaign was carried out through the wallet itself.

The fact that Electrum allows node operators to send any message they want is a major security oversight to say the least. But despite this problem, the community is locked in a debate: are users to blame for their lack of vigilance, or are Electrum developers to blame for overlooking a security hole?

There is no easy answer, since any communication channel can potentially be used to orchestrate a phishing campaign — although messages that come directly from a wallet are, naturally, more dangerous. Regardless, the way that you can avoid phishing is always the same: ensure that you are downloading your wallet from the correct source.

Back to the list