A phishing scam targeting Ledger users | Kaspersky official blog

A phishing scam targeting Ledger users | Kaspersky official blog

/in

Until recently, scammers have mainly focused on targeting cryptocurrency wallets owned by individual users. However, it appears that businesses are increasingly using cryptocurrencies, so attackers are now trying to get their hands on corporate wallets as well. You don’t have to look far for examples. The recently studied Efimer malware, which was distributed to organizations, is capable of swapping cryptocurrency wallet addresses in the clipboard. So we weren’t really surprised to observe cryptocurrency phishing campaigns directed at both individual and corporate users. What did come as a surprise though was the sophistication of the cover story and overall sophistication of the scam.

The phishing scheme

This particular scheme targets users of Ledger hardware cryptocurrency wallets — specifically the Nano X and Nano S Plus. The scammers send out a phishing email with a lengthy apology. The email claims that, due to a technical flaw, segments of the users’ private keys were transmitted to a Ledger server; the data was well-protected and encrypted, but the “company’s team” had discovered a highly complex data breach. The attackers’ fake story goes on to state that they’d exfiltrated fragments of keys, and then used extremely advanced methods to decrypt and reconstruct some of them — “leading to the theft of crypto assets”. Users are then advised to prevent their crypto wallets from being compromised through the same vulnerability, with the attackers recommending immediately updating the firmware of their device.

Phishing prompt to update the firmware

Phishing prompt to update the firmware

It’s a compelling story, to be sure. But if you apply some critical thinking, a few inconsistencies crop up. For example, it’s unclear how a fragment of a key could be used to reconstruct the whole thing. It’s also completely baffling what these “advanced decryption methods” are, and how Ledger representatives supposedly know about them.

The email itself is crafted extremely carefully: there’s almost nothing to nitpick. It wasn’t even sent with the help of standard scammer tools; instead, the attackers used a legitimate mailing service, SendGrid. This means the emails have a good reputation and often bypass anti-phishing filters. The only red flags are the sender’s domain and the domain of the website users are told to visit for the firmware update. Needless to say, neither has any connection to Ledger.

The scammers’ website

The website is also very clean and professionally designed — if you ignore the completely irrelevant domain it’s hosted on, that is. It’s possible the site serves multiple scams, as there’s no mention of a firmware update, and it lists far more devices than the email does. The website even has a functional support chat! While that’s most likely a chatbot, it does respond to questions and gives seemingly helpful advice. The whole point of the site is to get you to enter your seed phrase after you select your device.

The interface for entering seed phrases

The interface for entering seed phrases

A seed phrase is a randomly generated sequence of words used for recovering access to a cryptocurrency wallet. And as you may have guessed, it should not be entered, as anyone who knows it can gain full access to your crypto assets.

On a separate note, when you search for similar sites on Google, you’ll find a surprising number of similar fake pages. This type of scam is clearly quite popular.

How to stay out of harm’s way?

Whether you manage your crypto assets on your own devices or simply use regular online banking apps, it’s crucial to stay informed about the latest tactics attackers are using. For company employees, we recommend specialized training tools to boost their awareness of modern cyberthreats. One effective way to do this is by using the Kaspersky Automated Security Awareness Platform. For home users, our blog is a great resource for learning how to spot phishing scams.

Additionally, we recommend installing a robust security solution on both the personal and work devices you use for financial transactions. These solutions can both block access to phishing sites and prevent data breaches.

Kaspersky official blog – ​Read More