Electrum is a popular Bitcoin wallet which doesn't require users to download the full blockchain and instead uses servers to remotely provide users with blockchain accessed through their wallet.
A threat actor or actors added several malicious servers to the Electrum wallet network that when accessed prompt users with a phony error message instructing users to download a wallet app update from a malicious Github repository.
Once opened, the malicious wallet app asks for a user’s two-factor authentication code which is then used to steal the user's funds and transfer them to the attacker’s Bitcoin address.
“There is an ongoing attack against users where servers raise exceptions when a client broadcasts a transaction; in this case the error text is displayed as is in the client GUI,” Electrum said in a statement. “The attacker has spawned lots of servers on different /16 IPv4s to increase his chances of being connected to. The error messages are trying to get the user to download and install malware (disguised as updated versions of electrum).”
The attacks began on Dec. 21 and while Electrum has since modified its software and released an update to make the initial phishing message look less authentic, user’s are still at risk of attack as the issue hasn’t really been patched yet.
The firm said the patch isn’t a true fix as a more proper fix would require the upgrading of the entire federated server ecosystem.
The initial attacks seemed to have been more effective than latter attacks as the Electrum wallet rendered the phishing messages as rich text formatted making them appear more authentic.
Part of the temporary fix involved making the messages not render as rich HTML text anymore and instead leaving the messages mangled with fishy text.
Despite the improvements, users are still cautioned to be on the lookout for the scame and have been cautioned to not download Electrum from any sources other than the official website.