Ledger clients whose data was stolen in a breach were targeted in a phishing scam this past week. Below, our expert team at Kraken Security Labs has put together an analysis of the ongoing attack against Ledger clients.
This instructive case study could prove useful to all crypto holders.
Since phishing continues to be one of the main methods used by hackers and scammers to steal crypto, we believe that better awareness of phishing methods is vital in the crypto community.
Note that this phishing attack is unrelated to any flaws in the Ledger wallet or its firmware. As a form of social engineering, phishing attacks cannot be avoided through technology alone – education and awareness is key.
Phish Emails and Texts
Many Ledger owners received emails or text messages similar to the one below, asking them to download a new version of their Ledger software.
The criminals are likely using the contact information of the 9,500 customers involved in the June 2020 Ledger breach. Most, if not all, of the emails came from the attacker-controlled firstname.lastname@example.org address.
Should a victim click the link in the email, they will be redirected to a fake, cloned copy of the Ledger site.
The attackers are using a number of redirects and misspelled pages to trick the victim and to rotate pages as they were detected.
Victims are eventually sent to a download page with links to malicious versions of the Ledger Live desktop application. In the screenshot below, notice that the attackers are using the misspelled leGDer.com domain.
The downloaded malware will appear very similar to the legitimate Ledger Live application, except that the application will ask the victim for their recovery phrase and then steal it.
After the victim enters their recovery phrase, the malware sends the recovery phrase to the attacker at loldevs.com.
With the recovery phrase, the attacker can recover the victim’s wallet and then send those funds to one of the…