Just noticed a user reported on their subreddit [link] yesterday that there's also a new fake Microsoft Edge addon: Ledger wallet crypto converter
- It uses their previous logo and it's still active, so please take a minute to also report it.
Topic: Fake Leger Live app (extension ). (Read 192 times)
~snip~
I have always said that the main threat to the bitcoin stash is a stash's owner and if the latter is dumb neither open source hardware wallet nor Linux will help
I have always said that the main threat to the bitcoin stash is a stash's owner and if the latter is dumb neither open source hardware wallet nor Linux will help
And I have always said that people are the weakest link in that security chain, so even though I used to think that such behavior stems from the fact that before all the instructions that came in the package with the device were written in English, that changed years ago and more or less all major world languages became represented.
The conclusion is that people simply do not understand what they are doing at all - because such stupid moves as entering a seed anywhere except in another (verified) hardware wallet is more than enough proof that someone does not understand what they are doing. Anyone who has the stomach for such scams can without much trouble earn a very nice amount with minimal effort, and this is unfortunately something that will continue to happen.
This would never happen in Linux OS in combination with open source hardware wallet.
It would. The fault in the discussed case is attached to the possessors of HWs who entered their SEEDs into browser extension rather than to OS and/or to hardware wallet.
I have always said that the main threat to the bitcoin stash is a stash's owner and if the latter is dumb neither open source hardware wallet nor Linux will help
This means Microsoft does not manually check and testing any software that they publish on the store.
Some people suggest that the vetting is done by a third party and Microsoft never double check them. There is also the possibility that they hire some freelancers to judge whether an app is malicious or not. I think both are equally possible, in the end, they have some faulty vetting process if a fake app can be listed there. People should never rely on an 'official' store like this if they want to download crypto apps, the experience with Google Play Store should be enough to tell how unreliable they are most of the time. 
Micr0s0ft win0ws plus ledger device/app is a perfect disaster combination, so I a not really shocked that someone lost so much money with this scam.
Stop using closed source software, and reduce risk in getting tricked like this ever again, and I almost forgot... use your brain.
This would never happen in Linux OS in combination with open source hardware wallet.
Stop using closed source software, and reduce risk in getting tricked like this ever again, and I almost forgot... use your brain.
This would never happen in Linux OS in combination with open source hardware wallet.
He's just a few clicks and tap away from visiting the official Ledger store to download the Ledger live which is also on their own website. If he just did visit the official Ledger website, he'll come to notice the warning from them about these fake apps.
And I think even if many are avoiding Ledger now, they have to add about downloading it from their official website and not from these Microsoft stores and what not from the same platforms too.
Quote from: https://www.ledger.com/
Beware of phishing attacks, Ledger will never ask for the 24 words of your recovery phrase. Never share them.
And I think even if many are avoiding Ledger now, they have to add about downloading it from their official website and not from these Microsoft stores and what not from the same platforms too.
Maybe the reason is that this app does not contain any malware, but only transfers the entered data (seed) to the hacker's server. Do you really think that the one who checks (if there are people who do it at all) knows the difference between legitimate and fake Leger Live?
If such work were done by experts and not by bots and AI, then there would not be thousands of dangerous apps in the Google Play Store or on Google Ads.
Any software from the ledger does not ask for seed phrase backup even in the recovery process there are no ledger apps that ask for recovery phrase Ledger already warns their users about that and you can always see the warning on any ledger support page. If it asks then it's phishing.If such work were done by experts and not by bots and AI, then there would not be thousands of dangerous apps in the Google Play Store or on Google Ads.
Ledger app or any software wallet like Electrum only needs connection and authentication from your hardware device you should never share your seed anywhere other than into your hardware device itself.
So how did Microsoft forget to check it?
This means Microsoft does not manually check and testing any software that they publish on the store.
16.8+ BTC ($588K) is a very good amount. All the victims and those who collectively lost this money were unable to download Ledger Live from the official Ledger's website? That's why they needed to use @Microsoft App Store?
If you use a mobile phone to visit the Ledger Live website, you will see the download for Android and iOS. If you use a computer to access the Ledger Live website, you will see the download for Windows OS, Mac OS and Linux OS. Some people just do not have the experience that the application stores can have fake and scam apps. Some of them have lost money before they will realize. If not for this forum, I may also think I can get Ledger Live on Microsoft Store directly until I am taught a life lesson. All those big companies prefer money over scam.
~snip
16.8+ BTC ($588K) is a very good amount. All the victims and those who collectively lost this money were unable to download Ledger Live from the official Ledger's website? That's why they needed to use @Microsoft App Store? Whatever hardware wallet you use, download app only from the official website. Always. The same applies to online wallets. ~snip~
UPD. Found an article that says "The app was being used to steal people's Bitcoin by asking users to enter in their 12-24 word recovery phrase into the app."
UPD. Found an article that says "The app was being used to steal people's Bitcoin by asking users to enter in their 12-24 word recovery phrase into the app."
Just one more in a series of seed stealers that targets users who actually have no idea what a seed actually is, but that didn't stop them from buying HW and Bitcoin. Those who fell for such a cheap trick would have become victims sooner or later anyway.
Don't they check the software or app first before they make the app available on the Microsoft Store?
According to The app certification process on Microsoft they scan and check the apps for malware and viruses and do some testing to ensure the safety of the app before they make the app available on the Microsoft store.
~snip~
According to The app certification process on Microsoft they scan and check the apps for malware and viruses and do some testing to ensure the safety of the app before they make the app available on the Microsoft store.
~snip~
Maybe the reason is that this app does not contain any malware, but only transfers the entered data (seed) to the hacker's server. Do you really think that the one who checks (if there are people who do it at all) knows the difference between legitimate and fake Leger Live?
If such work were done by experts and not by bots and AI, then there would not be thousands of dangerous apps in the Google Play Store or on Google Ads.
Sometimes I wonder why people buy hardware wallets in the first place…
Agreed, the most serious threat to any hardware wallet, no matter how advanced it is in the security, is the possessor of wallet himself. Little did people who lost their BTC realize that request for entering Ledger's SEED into Ledger Live app is a sheer sign of scam, their stashes would be safe.
~
UPD. Found an article that says "The app was being used to steal people's Bitcoin by asking users to enter in their 12-24 word recovery phrase into the app."
UPD. Found an article that says "The app was being used to steal people's Bitcoin by asking users to enter in their 12-24 word recovery phrase into the app."
Ok, if that is true, it means the scammer played the human stupidity card. Not surprising.
Sometimes I wonder why people buy hardware wallets in the first place…
Ledger's fans, be careful! Fake Ledger Live app has found a way to Microsoft store.
-snip-
In my view the best solution for all those who are still trusting Ledger is to avoid this platform at all and find more reliable wallet to keep heir stash.
I would advocate multisig wallet with at least one HW-based cosigner (P.S. mine is Passport 2).
You are right, this wallet should be forbidden now, especially after so many warnings. Many experts suggest avoiding it for that recovery phrase feature shit and after that ledger database leak of customers, etc. These were all warnings to the users to shift to another wallet, or at least they should not have stored their full savings only in a single wallet of the ledger or any other wallet company.-snip-
In my view the best solution for all those who are still trusting Ledger is to avoid this platform at all and find more reliable wallet to keep heir stash.
I would advocate multisig wallet with at least one HW-based cosigner (P.S. mine is Passport 2).
I read your provided news and the reddit user Weak-Rice-3545 lost around $26,500 of his total savings. I feel sorry for him or her, but if that was his lifetime savings, then he should have kept half of these savings in some other place.
One thing I have learned so far is that the crypto industry is full of land mines. Once you become ignorant, you step foot on some mines and lose your precious assets. Therefore divide your body parts (savings) in the field of crypto industry. And thanks for sharing this news but according to the @zachXBT who reported this issue, noted that this app is removed from the Microsoft store.
Don't they check the software or app first before they make the app available on the Microsoft Store?
According to The app certification process on Microsoft they scan and check the apps for malware and viruses and do some testing to ensure the safety of the app before they make the app available on the Microsoft store.
So how the scammer succeed in making the phishing software or app available on the store without undergoing to verification process?
Only Microsoft should be blamed for this due to negligence because they are the only ones who tested the app first before making it available to the public they don't even try to verify it first if it's owned by the ledger.
According to The app certification process on Microsoft they scan and check the apps for malware and viruses and do some testing to ensure the safety of the app before they make the app available on the Microsoft store.
So how the scammer succeed in making the phishing software or app available on the store without undergoing to verification process?
Only Microsoft should be blamed for this due to negligence because they are the only ones who tested the app first before making it available to the public they don't even try to verify it first if it's owned by the ledger.
Is there any article on how this works? Was this just software that generated fake addresses? Or did the scammer actually go through the effort of forking ledger live app, building his own version so that receiving addresses are just his?
As I got it that was a fake browser Leger Live extension with capability to connect Ledger HW directly to WEB 3 apps rather than desktop app itself. The most obvious and easy way to scam user is to substitute the receiving address but we have already faced similar extensions ( for instance developed for Chrome) with capabilities to steal users SEED.
UPD. Found an article that says "The app was being used to steal people's Bitcoin by asking users to enter in their 12-24 word recovery phrase into the app."
Is there any article on how this works? Was this just software that generated fake addresses? Or did the scammer actually go through the effort of forking ledger live app, building his own version so that receiving addresses are just his?
In my view the best solution for all those who are still trusting Ledger is to avoid this platform at all and find more reliable wallet to keep heir stash.
Although there are many reasons to stay clear of Ledger and their products based on everything they have done lately and are planning to do with their Ledger Recover vulnerability, receiving spam or phishing emails isn't one of those. Those things have happened before Ledger and will continue to happen to many other companies. Knowing how to recognize scams and not responding to spam is the way to go. In my view the best solution for all those who are still trusting Ledger is to avoid this platform at all and find more reliable wallet to keep heir stash.
The best in my opinion is to avoid fake apps, go for the right one. This can happen to any app. Before on playstore, there was many fake Electrum app but we keep posting the fake apps on this forum and also keep reporting them.But you are not wrong that people should no more use Ledger hardware wallet. The company is careless with their users data and also are encouraging their users to trust third parties with their seed phrase.
has already been posted and mentioned here: https://bitcointalksearch.org/topic/m.63107288
the discussion has already begun...
I think having a separate thread for it is good. the discussion has already begun...
has already been posted and mentioned here: https://bitcointalksearch.org/topic/m.63107288
the discussion has already begun...
the discussion has already begun...
Ledger's fans, be careful! Fake Ledger Live app has found a way to Microsoft store.
In my view the best solution for all those who are still trusting Ledger is to avoid this platform at all and find more reliable wallet to keep heir stash.
I would advocate multisig wallet with at least one HW-based cosigner (P.S. mine is Passport 2).
In my view the best solution for all those who are still trusting Ledger is to avoid this platform at all and find more reliable wallet to keep heir stash.
I would advocate multisig wallet with at least one HW-based cosigner (P.S. mine is Passport 2).
Jump to: