Cybercriminals have launched a new phishing campaign targeting Ledger wallet users that uses fake data breach notifications to steal their cryptocurrency.
Ledger makes physical cryptocurrency wallets that allow users to store, manage and sell cryptocurrencies such as bitcoin. The funds stored in the company’s wallets are secured using a 24-word recovery phrase though its devices also support 12, 18, or 24-word recovery phrases used by other cryptocurrency wallets. As a wallet’s recovery phase can be used to access a user’s funds, they must be stored offline and not shared with others to prevent cryptocurrency from being stolen.
Back in July of this year, Ledger suffered a data breach when a vulnerability in the company’s website allowed cybercriminals to access customers’ contact details. At that time, the company emailed the 9,500 customers who were affected with more information about the attack.
Beginning in October, cybercriminals began sending out fake emails to users regarding a new Ledger data breach. These emails told users affected by the breach to install the latest version of Ledger Live, saying:
“We regret to inform you that we have been alerted of a data breach affecting confidential data belonging to approximately 115,000 of our customers, which includes personal information, PIN-encrypted private and public keys, as well as the amount of each cryptocurrency stored inside the wallet.”
Fake data breach notifications
This new phishing campaign is quite clever as it plays on the fears of Ledger users who received an email just a few months ago informing them of an actual data breach. The fake data breach notification emails also use Punycode characters to impersonate the company’s website using either accented or Cyrillic characters. This means that users may think they’re visiting ledger.com when in fact they are really clicking on a link to https://ledģėr[.]com.
After visiting the fake site, users are prompted to download the Ledger Live app for either mobile or desktop. The links to the mobile versions of the app are genuine but the link to the desktop version downloads a fake Ledger Live application that is designed to be almost identical to the legitimate version.
When a user clicks on the “Restore devices from Recovery phrase” option in the fake app, they are prompted to enter their recovery phrase which is then sent back to a domain controlled by the attackers. The fake app also asks users for their secret passphrase and with both in hand, the attackers can gain full access to a user’s wallet and steal all of their cryptocurrency.
To prevent falling victim to this new phishing campaign, Ledger users should be extra careful when checking their email and avoid clicking on links to Ledger.com in any emails that do end up in their inboxes. Ledger plans on publishing a phishing status page next week to provide its users with more information on these ongoing attacks.
Via BleepingComputer