Fake Electrum version 4.0 and hardware wallets

[philinje]

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

[1714927007]

1714927007

[1714927007]

1714927007

[1714927007]

1714927007

[1714927007]

1714927007

[1714927007]

1714927007

[ranochigo]

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

No. Electrum doesn't control your web browser so they can't restrict you from viewing the website. There is also no filtering on the things that you can display in that dialog box.

[o_e_l_e_o]

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

The best you can do is report the address to the domain name provider. Whois data says that that address is registered by namesilo. You can fill in an abuse report here: https://www.namesilo.com/report_abuse.php

You can also report it as a phishing link at the following places, which may aid in getting it taken down:
https://safebrowsing.google.com/safebrowsing/report_general/
https://us-cert.cisa.gov/report-phishing

Having said that, it's unlikely to make much difference. These scammers are used to their sites getting frequently taken down and are registering a new domain to continue their scam from on a weekly basis. Every report of someone falling for this scam is using a different URL.

[Abdussamad]

I just received the fake error message in Electrum 3.3.4. Here is the malicious website:

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

You should update to 4.0.2 via electrum.org.

however 3.3.4 should not be vulnerable to these phishing messages according to the release notes:

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES#L184

may be you are using an even older version?

[HCP]

Looks like someone reported the site to the domain registrar... and they promptly removed the DNS entries, as the URL doesn't return an IP address anymore:

[philinje]

I just received the fake error message in Electrum 3.3.4. Here is the malicious website:

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

You should update to 4.0.2 via electrum.org.

however 3.3.4 should not be vulnerable to these phishing messages according to the release notes:

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES#L184

may be you are using an even older version?

Sorry, it was 3.3.2.

[philinje]

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

Already in the blacklist. Check this

Category: Phishing
Counterfeit web pages that duplicate legitimate business web pages for the purpose of eliciting financial, personal or other private information from the users.

You have the old client which seems to be vulnerable to this old fishing trick. Upgrade ASAP to the newest Electrum version which is 4.0.2 at the moment. Be wise to verify pgp signature of downloaded distribution.

Thanks. I have several questions:

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

Does the upgraded Electrum client simply block all messages from blacklisted servers? or what is the mechanism for preventing connections to fraudulent servers?

Once I get a message from a fraudulent server, will it get stored in local storage and be likely to be connected to again?

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

Sorry for the multiple questions!

[HCP]

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

It doesn't... and it can't...

The "bad" servers are running a custom version of the Electrum Server software designed to send the "update required" message and link to malware when they receive a "send transaction" request from a client.

Does the upgraded Electrum client simply block all messages from blacklisted servers? or what is the mechanism for preventing connections to fraudulent servers?

There is no "blacklist"... the mechanism is that the Electrum client no longer just displays the verbatim text that is received back from a server... instead, there is a set list of predefined error messages that it will accept and display... if something "unexpected" is received, the client will display "Unknown Error" and advise you to try again or use a different server etc.

Once I get a message from a fraudulent server, will it get stored in local storage and be likely to be connected to again?

No, the message is received, processed and discarded... There is no action taken to blacklist the server and ignore it.

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

Yes.

You could potentially implement your own blacklist and prevent outgoing connections to the IP in your own firewall.

[nc50lc]

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

Most of them will perform a DOS attack to the connected old vulnerable client to keep it offline without error messages hoping for the user to upgrade to the latest version.
Reference: https://github.com/spesmilo/electrum/issues/5195#issuecomment-473157912
But since there's still a good chance that Electrum will connect to a "bad server" if server selection is set to automatic, these phishing incidents will still arise.

In the other hand, any "good servers" or clients can't blacklist "bad servers",
you can manually connect to good server that gets your client online though.

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

That message alone is harmless if you ignore it.
But you must upgrade before trying to send again since it will hard to find a good server that lets you connect.
It's not always recommended to use outdated software; whether it's Electrum or not.

[pooya87]

In the other hand, any "good servers" or clients can't blacklist "bad servers",
you can manually connect to good server that gets your client online though.

it may not be such a bad idea to add a new option on client side to exclude (or blacklist) certain servers from their list, or alternatively the current server selection list could add a multi-select option where user could choose multiple servers to connect to automatically and randomly instead of using the entire list.
this could be beneficial for both privacy and security.

[DaveF]

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

I just received the fake error message in Electrum 3.3.4. Here is the malicious website: https://www.electrumdigital.website

Does it make sense to give this to the ElectrumX team, so they can blacklist this address?

Guess I'll have to hunt it down another way.
Geez, how tough is it to get robbed around here :-)

Some google search results for "Electrum download" look suspiciously the malware version,
especially those from random sources like 'softonic' and 'softpedia'. (if not, they come with a virus)

So I finally got a copy of one of the bad versions on a machine I was going to DBAN anyway to check, and it would not even recognize my old ColdCard at all.
Plugged it into a legit machine and it was there so I know it was not the hardware wallet. So whoever is writing the malware either broke the HW wallet compatibility or just did not bother putting it in.

-Dave

[o_e_l_e_o]

-snip-

That's interesting. Do you have any other hardware wallets on hand you could try it with? Presumably the attacker figured it wasn't worth their time to keep up to date with support for hardware wallets, since the majority of hardware wallet users would reject a transaction they didn't generate trying to sweep all their coins to an unknown address (at least, you would hope so).

[philinje]

How does the upgraded ElectrumX server mitigate this issue? Does it keep a blacklist of fraudulent servers and exclude them from the network?

Most of them will perform a DOS attack to the connected old vulnerable client to keep it offline without error messages hoping for the user to upgrade to the latest version.
Reference: https://github.com/spesmilo/electrum/issues/5195#issuecomment-473157912
But since there's still a good chance that Electrum will connect to a "bad server" if server selection is set to automatic, these phishing incidents will still arise.

In the other hand, any "good servers" or clients can't blacklist "bad servers",
you can manually connect to good server that gets your client online though.

If I ignore the message, do I simply try to send again, and hopefully connect to a legitimate server?

That message alone is harmless if you ignore it.
But you must upgrade before trying to send again since it will hard to find a good server that lets you connect.
It's not always recommended to use outdated software; whether it's Electrum or not.

Thanks for these answers, and also to HCP. Very helpful! That is interesting about the DOS attack. One further question: how do I find a list of good servers and then manually connect to one (is there a setting for this)?

[HCP]

...One further question: how do I find a list of good servers and then manually connect to one (is there a setting for this)?

AFAIK, there isn't really a list of "trusted" servers...

I would guess that all you can do is let Electrum find any server, try your transaction and if it goes through OK without giving you the "unknown" error, then you can add that particular server to your own personal list of "trusted" servers that you want to connect to... and then manually connect to one from your list.

[pooya87]

~
So I finally got a copy of one of the bad versions on a machine I was going to DBAN anyway to check, and it would not even recognize my old ColdCard at all.
Plugged it into a legit machine and it was there so I know it was not the hardware wallet. So whoever is writing the malware either broke the HW wallet compatibility or just did not bother putting it in.

-Dave

have you tried your ColdCard on an old (real) Electrum version such as <3.2.3 because i believe that the malicious version was forked from one of those earlier versions and may not have been updated. and there were some bugs in some of those earlier versions that are fixed in new ones. for instance Coldcard from Coinkite was not even supported in Electrum.

[DaveF]

~
So I finally got a copy of one of the bad versions on a machine I was going to DBAN anyway to check, and it would not even recognize my old ColdCard at all.
Plugged it into a legit machine and it was there so I know it was not the hardware wallet. So whoever is writing the malware either broke the HW wallet compatibility or just did not bother putting it in.

-Dave

have you tried your ColdCard on an old (real) Electrum version such as <3.2.3 because i believe that the malicious version was forked from one of those earlier versions and may not have been updated. and there were some bugs in some of those earlier versions that are fixed in new ones. for instance Coldcard from Coinkite was not even supported in Electrum.

-snip-

That's interesting. Do you have any other hardware wallets on hand you could try it with? Presumably the attacker figured it wasn't worth their time to keep up to date with support for hardware wallets, since the majority of hardware wallet users would reject a transaction they didn't generate trying to sweep all their coins to an unknown address (at least, you would hope so).

The machine in question has already been wiped. It was actually wiped before I even posted here.
I did not check a version prior to 3.2.3 I have just been using whatever is / was current. Did not know that the malware version was based on code that was 2 years old.

I have an old trezor that I can check against it. Should have another machine or 2 that will need to be wiped in a few days or early next week at the latest.

-Dave

[philinje]

...One further question: how do I find a list of good servers and then manually connect to one (is there a setting for this)?

AFAIK, there isn't really a list of "trusted" servers...

I would guess that all you can do is let Electrum find any server, try your transaction and if it goes through OK without giving you the "unknown" error, then you can add that particular server to your own personal list of "trusted" servers that you want to connect to... and then manually connect to one from your list.

Thanks again. I figured out I can open Network under Tools, and there is a list of 10 servers I am connected to. Beneath that there is a list of other known servers. I'm going to assume the ones with domains that start with electrumx are more recent. Of the servers I am connected to, there are two that start with electrumx: electrumx.erbium.eu:50002 and electrumx.[Suspicious link removed]:50002

If I right-click one of those, I get the "use as server" option. Would you know if either or both of the servers above are safe?

Does the list of 10 servers I am connected to change randomly with every transaction, as long as I check "Select server automatically"?

[nc50lc]

-snip-

You said your last Electrum version "was" 3.3.2, so have you upgraded to the latest version?
If yes, don't sweat the server selection, bad servers can only block your transaction broadcast at worst, the message will be a generic error msg.
If you want, you can use electrum.blockstream.info:50002 as server, that is 100% surely isn't a phishing server but I can't vouch for the privacy part.

[HCP]

I'm going to assume the ones with domains that start with electrumx are more recent.

That is an incorrect assumption to make... they can literally be called almost anything, it is simply a choice made by the admin of the server what name is used... "electrumx" is simply the default name for ElectrumX based servers. Additionally, I would suspect that the "bad servers" were actually running a modified version of ElectrumX...

As nc50lc has pointed out... the "bad servers" can't actually steal your coins. All they can do is show a fake error message... and even that problem is mitigated by using newer versions of Electrum. To actually lose coins, you would need to download and install a fake version of Electrum that immediately sends your balance when you start it up... and that issue can be mitigated by only downloading from electrum.org and always verifying the digital signature of the download before running/installing Electrum.

[philinje]

-snip-

You said your last Electrum version "was" 3.3.2, so have you upgraded to the latest version?
If yes, don't sweat the server selection, bad servers can only block your transaction broadcast at worst, the message will be a generic error msg.
If you want, you can use electrum.blockstream.info:50002 as server, that is 100% surely isn't a phishing server but I can't vouch for the privacy part.

Thanks again. Yes, I verified the 4.0.2 build and installed it. I am just paranoid because I previously made a connection to a bad server, and there is a lot of btc in this wallet. Just need to be extra sure. I haven't used Electrum a lot and now I understand a lot better how it works.

This is a great community and a great product. It's too bad this phishing exploit caused some bad press and paranoia. Anyway, I will do my best to promote the product!