A reportedly ongoing hack against Bitcoin wallet Electrum has seen hacker steal about 250 Bitcoin. Although Electrum official release has made announcement, a silent patch to mitigate the risk and Github admin removed the malware, this attack may come up again by changing another cover-up. And this phishing type of attack has been around for a couple of years. Why people are still falling into it? Let’s examine how this attack works.
How the phishing attack works
Like most phishing attacks, hacker(s) trick Electrum wallet user to download a new update which contains a Trojan. The key is to display a message to a genuine Electrum wallet GUI with a downloadable link. Yes! this link downloads the malicious wallet installer.
To understand the full picture of the act, these are the steps that hacker(s) managed to do it:
- Launching tens of Electrum server in to the peer-to-peer network.
- Returning a phony message to the user when he/she is making a new transaction.
- The message trick user to install a new version with Trojan.
- The Trojan ask for the user’s 2FA. Then it steal the balance of the wallet.
The more malicious Electrum servers adding to the network, the better chance of catching a victim. At the same time current Electrum wallet display rich text message to its user when receiving from servers. As it’s decentralized network, it’s impractical to verify the message’s authenticity.
Once the trojan being deployed, the only hurdle between victim’s private key and the hacker(s) is the 2FA or passphrase. Often users are caught off-guard of abnormal behavior especially when they just install a new version.
The result is bitter as anything left in that wallet will be stolen including deposits in the future. Unplug the computer’s power won’t do any good because hacker(s) don’t need to access your computer at all. Private key, or seeds, means everything. But there must be ways of prevent it.
How to prevent it
There are articles that advise users always download software from the official website or verify software’s signature before installation. It’s not good enough. It’s a head-scratching task for non-technical user to undertake. In the essence, user wants a peace of mind. A complex solution for that never fit well.
Peace of mind with Octowallet
Suppose the victim had been using OctoWallet and nothing else changes in the hacking scenario above. The hacker cannot be successful because OctoWallet safeguards your private key. It will never be online. And your seeds are kept ONLY on paper in your mother’s house. In addition, the victim has two other chances to be alarmed of this phishing act by:
- Checking the transaction destination address on OctoWallet screen
- Physically confirm to make any approved transaction.
If you have any good idea or fighting hacker, feel free to share with us.