Warning: There is an ongoing phishing attack against Electrum users

[bL4nkcode]

Saw this tweet of electrum hours ago. Please be aware, and be careful.

"Warning: there is an ongoing phishing attack against Electrum users, where rogue servers ask users to install bitcoin-stealing malware. We released version 3.3.2, which mitigates the attack. See https://electrum.org/#download"

Source: https://twitter.com/ElectrumWallet/status/1083334662427164672

[1713597726]

1713597726

[1713597726]

1713597726

[1713597726]

1713597726

[Lucius]

I'm not sure why Electrum gives a warning again since that attack is actually never stopped. Electrum just changed, or as they say mitigates the attack in a way how users see that notification pop message.

So there is no direct link to fake wallet download (click link), but message is looks like this :



Some users obviously still fall into this trap and download fake wallets, probably because of that Electrum reacted again by tweet that warning.

[BitMaxz]

It seems that the error only shows on the latest version of electrum? I tried the other version but I don't see any error yet.

It looks like only the 3.3.2 version is infected with this attack.

I'm sure that they will release a new version of electrum this coming week and I hope they can inform all Electrum users about this issue before someone installs a fake Electrum wallet.

I already check the link from the image above it looks like someone already reported it.

[HCP]

It seems that the error only shows on the latest version of electrum? I tried the other version but I don't see any error yet.

It looks like only the 3.3.2 version is infected with this attack.

It has nothing to do with the version of the Electrum client that you have installed/are using... it all depends on which Electrum server you get connected to.

Also, I believe that the message only shows when you attempt to broadcast a transaction.

The message is generated and sent by rogue Electrum servers that have been setup and launched by the attackers. They modified the (open source) code, so that regardless of your client and/or how your transaction is setup, the server will automatically return the fake "error" message to your client encouraging you to "upgrade". Then the attackers launched hundreds of servers (using different domains) to increase the odds that a client would get automatically connected to one of their servers.

So, if you automatically (or manually) connect to a "good" server, you will never see this message... and if you're connected to a "bad" server, but don't try and broadcast a transaction, you will not see this message either.

[pooya87]

I'm not sure why Electrum gives a warning again since that attack is actually never stopped. Electrum just changed, or as they say mitigates the attack in a way how users see that notification pop message.

people aren't upgrading their Electrum just because this bug existed in older versions. there are still people using Electrum 2.x.x versions out there too! so as long as the attack is ongoing some sort of warning on their Twitter page from time to time is a good idea. they may need to stick it on top though.

[elda34b]

people aren't upgrading their Electrum just because this bug existed in older versions. there are still people using Electrum 2.x.x versions out there too! so as long as the attack is ongoing some sort of warning on their Twitter page from time to time is a good idea. they may need to stick it on top though.

They'll probably need to pin it forever, because it seems these 'bad' servers will continue to exist as long as people still use Electrum. Anyway, this should increase security awareness. For god’s sake, I never understand why people just download and never verify a file from the internet.

[Lucius]

There is currently no way to prevent the appearance of this message through legitimate Electrum wallet so every warning is welcome. But the very fact that vulnerability still exists makes this wallet very risky for any inexperienced user. We can talk about how is important to always check files before installation, or to never download wallets from untrusted source - people simply do not pay attention to such things.

I'm not sure if it's technically possible that Electrum use this exploit in a way to show warning message to users, but before any transaction is initiated?

[Awkward_Public_Stoner]

Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.

[Abdussamad]

I'm not sure if it's technically possible that Electrum use this exploit in a way to show warning message to users, but before any transaction is initiated?

Well first of all Electrum doesn't show update notifications at all. If it were to start now it'll only muddy the waters even more

Second the message is by the server you are connected to and the electrum company doesn't control those servers. If it did then they could simply replace the messages with numerical error codes and then the client could display a limited set of meaningful error messages depending on the error code instead of arbitrary messages from the server. This is the proper fix they talked about.

In the meantime the electron cash approach might work where they attempt to parse the message from the server and then replace it with a legit error message. Another suggestion was to hide the message from the server under a read more button so that those who actually cared could read it while your regular users won't bother and therefore won't be phished.

[Lucius]

Well first of all Electrum doesn't show update notifications at all. If it were to start now it'll only muddy the waters even more

Electrum is show this message in combination with bad servers, and even if Electrum can not influence on such servers, yet there is a great deal of responsibility on them. Such a thing should be foreseen and prevented, but instead of that we have hundreds of stolen BTC and confusion that continues to last...

You posted some of possible solutions, and both would in any case be better than the current situation. It's been 16 days since the attack started, and only fix in that period is mitigation of problem.

I see there is version of Electrum 3.2.4 (2018-12-31 11:26), but on main page is still Latest release: Electrum-3.3.2 , even more confusion...?

Do we have a list of servers that are safe for sure? Would help because then you could connect manually to those when you get the pop up.

Nothing is 100% sure, but I found a list with Electrum servers which could help. However, owner of this site can also be tricked to list some bad server, it is just for informational purposes.

https://1209k.com/bitcoin-eye/ele.php

[Abdussamad]

You posted some of possible solutions, and both would in any case be better than the current situation. It's been 16 days since the attack started, and only fix in that period is mitigation of problem.

You should complain in that issue: https://github.com/spesmilo/electrum/issues/4968

I see there is version of Electrum 3.2.4 (2018-12-31 11:26), but on main page is still Latest release: Electrum-3.3.2 , even more confusion...?

3.2.4 contains a backported version of the phishing attack mitigation for users who can't upgrade to python 3.6. Everyone else should stick to 3.3.2.

[paulus59]

hello there

some day's ago someone stole my BTC from electrum wallet after I upgraded from 3.3.1  > to 3.3.2

all my BTC are gone 0.05xxx    but I have decided after cleaning my computer to reinstall the new and latest wallet
now when I installed this I tough let's see the file structure in that wallet it apart from mine wallet.dat folder this is what I saw  http://i66.tinypic.com/2n0pkq8.jpg

i don't think this is correct look at the date stamp of the actual wallet exe file create day: 11-11-2000 !!???

so, in short, i downloaded from the original website what I always do then installed it then I went to the folder and this is what i saw

please need help an advice

[Abdussamad]

look at your browser history and confirm the url you downloaded electrum from ?

[paulus59]

yes, it is from the original website >  http://nl.tinypic.com/r/2njwpc8/9


image of download history



i would say check your own folder structure see if it is the same as my image

[G3nijalac]

So what would be the wisest course of action?
Just wait untill the issue gets fixed and not use the wallet in the meantime?

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?

Thanks for info.

[Abdussamad]

So what would be the wisest course of action?
Just wait untill the issue gets fixed and not use the wallet in the meantime?

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?

Thanks for info.

The only thing you need to do is that in the event you get an error message when spending bitcoins try switching servers. Don't download any software that the error message tells you to.

[HCP]

One important question. Does the transaction go trough despite the error msg?
Like is the functionality unaffected?

To answer this question... As I understand it... No, the transaction does not go through. All the "bad" servers do is throw back the fake error message and encourage the user to download malware. (NOTE: I believe the github repository that it linked to has already been removed)

So, as Abdussamad mentioned, simply ignore the error and connect to a different server. If you do that, there is no danger to your wallet or coins from this "attack".

[joele]

Old Electrum 2.9.3 and selected server node 'b.ooze.cc' still works for me.

[Lucius]

joele, older versions still works, but there are problems with synchronization and with security. You should not use any version under 3.0.5 because of security problem which is fixed with this version. Also it is good practice to always use latest version, your version is too old and it is not safe.

# Release 3.0.4 : (Security update)

 * Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS)
   in the JSONRPC interface. Previous versions of Electrum are
   vulnerable to port scanning and deanonimization attacks from
   malicious websites. Wallets that are not password-protected are
   vulnerable to theft.
 * Bundle QR scanner with Android app
* Minor bug fixes

# Release 3.0.5 : (Security update)

This is a follow-up to the 3.0.4 release, which did not completely fix
issue #3374. Users should upgrade to 3.0.5.

 * The JSONRPC interface is password protected
 * JSONRPC commands are disabled if the GUI is running, except 'ping',
which is used to determine if a GUI is already running

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

[pooya87]

finally it is fixed in the newest version 3.3.3
reference: https://github.com/spesmilo/electrum/pull/5011/files
it uses the same approach as the electronBCH approach that takes the message, analyzes it and then translates that into predefined messages instead of showing whatever the server sent. that should solve this issue for good.
if the server sends you a malicious message you should see ""Unknown error" instead of it.