Malicious Bitcoin wallet updates – a growing trend in malvertising, is now a risk for users as Bitcoin scammers steal $22 million in user funds from fake Electrum wallet app.
On Monday, February 22, between 8 AM – 11 AM UTC, GeoEdge’s security researchers identified a widespread malvertising attack targeting users from the popular bitcoin wallet, Electrum, which is used to store bitcoin and send transactions.
The attackers served unsuspecting users a popup with a message indicating the latest wallet app software update should be installed, citing a vulnerability in the current version. Users were prompted with the following message: “Electrum versions older than 4.0.9 have a vulnerability. Please update Electrum to avoid losing funds”.
This message convinced trusting Electrum users to install the malicious update, which in turn drained the user’s Bitcoin wallet by directly sending them to the attacker’s pre-defined addresses.
As opposed to trafficking the malicious payload through ad creatives, this malicious campaign compromised a major, SSP’s cookie syncing code. Cookie syncing works when two different advertising systems map each other’s unique IDs and subsequently share information gathered about the same user. This code is loaded by many other SSP’s in order to sync the user identifiers which are associated with their domains.
Unlike traditional malicious attacks, this attack is not tied to a single malicious creative or advertiser, but rather is served when an SSP syncs its cookies with the breached SSP, resulting in mass exposure to the attack.
Additionally, through this attack vector, the attacker successfully avoided wasting dollars traditionally spent on obtaining winning bids to push malicious code within RTB auctions, creating a challenge for blocking solutions as the attack was tightly integrated within an integral part of the ad serving process.
An example of different SSP calls to the compromised SSP cookie syncing code
The malicious payload that was added into the cookie syncing code loaded the following URL:
https://ipfs-hosting[.]tk/redirect.php.
Which redirected the victim’s browser to:
https://electrum-4.github[.]io/electrum.html (This page is taken down by Github now).
This page displayed the malicious JS alert that is shown above, and initiated a request to the following URL:
Microsoft-edge:https://electrum-4.github[.]io/
Which automatically opens the Microsoft Edge browser with the malicious download page.
ZDNet has tracked a myriad of Bitcoin accounts carried out over the course of 2019-2020, with the most recent attack occurring in September 2020. According to ZDN, These wallets currently hold 1980 bitcoin, amounting to roughly just over $22 million in current currency. Taking into account the 202 bitcoin stolen in our original December 2018 report, this brings the total to more than $24.6 million stolen with one simple technique.
Electrum has added a formal warning message to download updates only from Electrum.org website: 
By utilizing multiple security detection engines, GeoEdge was able to identify and trace the attack across networks back to its source. With an emphasis on intelligence sharing, GeoEdge’s security research team has been in touch with the SSP, providing all relevant intelligence and attack data. GeoEdge will continue to provide further updates, keeping users informed on this emerging attack vector.
