Cybercriminals have launched a new phishing campaign targeting Ledger wallet users who use fake data breach notifications to steal their cryptocurrency.
Ledger makes physical cryptocurrency wallets that allow users to store, manage and sell cryptocurrencies like bitcoin. The funds stored in the company’s wallets are secured using a 24-word recovery phrase although its devices also support 12, 18, or 24-word recovery phrases used by other cryptocurrency wallets. Since a wallet recovery step can be used to access a user’s funds, they must be stored offline and not shared with others to prevent cryptocurrency from being stolen.
Back in July this year, Ledger suffered a data breach when a vulnerability on the company’s website allowed cybercriminals to access customer contact details. At that time, the company emailed the 9,500 affected customers with more information about the attack.
Starting in October, cybercriminals began sending fake emails to consumers about a new Ledger data breach. These emails told users affected by the breach to install the latest version of Ledger Live, saying:
“We are sorry to inform you that we have been notified of a data breach affecting confidential data belonging to approximately 115,000 of our customers, which includes encrypted personal, private and public keys PIN, as well as the amount of each cryptocurrency stored inside the wallet. “
False data breach notifications
This new phishing campaign is quite clever as it plays on the fears of Ledger users who received an email a few months ago informing them of a real data breach. The fake data breach notification emails also use Punycode characters to mimic the company’s website using either accented or Cyrillic characters. This means that users might think that they are visiting ledger.com when in fact they are clicking on a link to https: // ledģėr[.]com.
After visiting the simulated site, users are encouraged to download the Ledger Live app for either mobile or desktop. Links to the mobile versions of the app are valid but the link to the desktop version downloads a fake Ledger Live application that is designed to be almost identical to the legitimate version.
When a user clicks on the “Restore devices from Recovery phrase” option in the fake app, they are prompted to enter their recovery phrase which is then sent back to a domain controlled by the attackers. The fake app also asks users for their secret password and with both in hand, the attackers can fully access a user’s wallet and steal all their cryptocurrency.
To prevent this new phishing campaign from suffering, Ledger users should take particular care when checking their email and avoid clicking on links to Ledger.com in any emails that eventually appear in their inboxes . Ledger plans to publish a phishing status page next week to give its users more information about these ongoing attacks.