Author

Topic: Ledger SMS phishing campaign - new attempt, not too subtle (Read 492 times)

legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
It’s been a while since phishing attempts on the Ledger leaked DB have managed to surpass the spam filter on my email, but one has managed to make it through a while ago. Not too subtle, but at least the domain name has a certain feasible ring (although clearly non-official, and using a lame argument at best) that we should be wary of:

Quote
Dear name surname
(we have included your full name for the authenticity of this message)
 
Due to latest security issues found in the encryption protocol, we strongly recommend that you proceed with the update.
We regret to inform you that Ledger has experienced a security breach affecting approximately 270.000 of our customers and that wallet associated with your email email@domain is within those affecting by the breach.
 
On Sunday, February 14th 2021, our forensics team has found several problem with encryption protocol.

Now it's technically impossible to protect your wallet without this update because we do not store anything of this in our server.
 
For the security of the wallet and your cryptocurrencies we need your help.
It only takes two minutes, but after that you will be sure that your wallet is safe.
 
Sincerely,
Ledger

The email was sent from this address:
Code:
Ledger 

The allegedly lifesaving update takes you to a site, where, classical as it may be, it asks you for your 24 word mnemonic (what a surprise). The phishing site is located at the following address:
Code:
https[colon]//www[dot]cryptoledgerwallet[dot]com/update/
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Ledger seems to have a hard time comunicating the facts properly. First, I believe that around July 2020, they informed that a data leak took place, involving 1M emails and personal contact data for 9.500 customers. By December 2020, the leak involved 272.000 customers as we know, essentially after the DB was made available on Raidforum.

These days, they’re sending out yet another Security Notice, referencing a breach on Shopify, their e-commerce partner (when purchasing on their official site, I believe the ecommerce part goes through shopify’s platform). Judging by the dates they mention in their most recent notice, Shopify was not aware that Ledger’s data has been leaded on their platform by some rouge agents until the 21/12/2020, which is the date on which the prior Security Notice was released after the Raidforum business. Nevertheless, they informed Ledger on the 23/12/2020, which does not add-up properly with the second Security Notice released around the 21/12/2020.

That would lead me to believe (dubiously) that they are talking about the same incident, albeit trying to discharge responsibility on Shopify, but they do not bind the two Security Notices together, indicating that they are referencing the same incident, providing further information in this case (or confusion).

Either I can’t interpret their intent, or they are messing-up with they way they communicate. If they are on about the same incident, make it explicit. If not, make it explicit too. I want to believe that they are on about the same incident, and that we’re not talking about two, which would seem berserk.

One has to wonder though exactly who has the customer data: Ledger, Shopify, or both. It it’s both, then this should also be known and explicit (I haven’t managed to find this on their site). Any (weak) data policy on one side is void if not carried out by the whole chain of value.

Bad news from Ledger (again).

Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.

Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.

If you’re among those who slipped through for the first time, check your emails because Ledger has sent a notification to all new winners who will start receiving phishing messages and be at risk of physical assault.

A map to incompetence:
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
There are probably no better phishing/smishing/sim swapping/marketing lists out there that Ledger’s leaded set of files (email, orders); certainly not for free as these now are.

Those phones and emails are going to be hit time and time again will all sorts of pretexts. There’s currently a new one on about claiming your (alleged) Bitcoin SV, which is likely ending up in the spam folder. Very likely they are targeting the Ledger email list with the Bitcoin SV excuse, not referencing the Ledger event in order to add another vector of attention and bait.
hero member
Activity: 1414
Merit: 542
Latest:

Code:

Sample email that you are going to received, so it's a google docs now



But after you click the google docs, you will be redirected to:



And again, redirecting you to the fake and phishing Ledger site:



Source So this one is utilizing google docs and then several redirection, which might confuse Ledger user and think that this is legit.
legendary
Activity: 1554
Merit: 1139
Quote
"You have received 0.08155120 BTC, please login and confirm: HTTPS[colon]//BLOCKCHAlN [dot]IO

Not only is the domain (IO) not the official domain, but also if you take a closer look, you’ll see (just about) that the "I" in the domain name is really a lowercap "L", that is slightly taller than the "I" -> "Il" (the former is a capital I, whilst the latter is a lowercap "L").
 
One more thing to be wary of …

I see that now by just comparing this Original : Fake (IO : lO) (Il). It's just right there in plain site and it tells how clever this scammers can be in hiding little details in plan sight. A skill that could be put in web designing though, the pay is relatively low but how good you are gets you in on the job.

Ledger is so going to be loosing a lot of customers if this menace to their system isn't properly handled and should a more competitive platform come along. Ledger users have now got to cut down the services they require based on details needed for verification you. You just don't have to give too much details to a third party platform.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Now the scammers are using the phone list to perform a cross-product smishing attempt. Specifically, the SMS that has recently been sent out stated:
 
Quote
"You have received 0.08155120 BTC, please login and confirm: HTTPS[colon]//BLOCKCHAlN [dot]IO

Not only is the domain (IO) not the official domain, but also if you take a closer look, you’ll see (just about) that the "I" in the domain name is really a lowercap "L", that is slightly taller than the "I" -> "Il" (the former is a capital I, whilst the latter is a lowercap "L").
 
One more thing to be wary of …
member
Activity: 91
Merit: 35
Ongoing phishing campaign - WARNING Ledger scam email be aware!

website:
Code:
http://ledġẹr.com/
xn--ledr-dxa0756b.com

Supposedly contact and support email address:

Code:



This is just getting even more ridiculous. Ledger users attacks keeps happening concurrently now and sometimes ledger sends warning emails about phishing attempts late to their users hence several gullible users will fall prey to this scam. Any email that request for private keys, recovery phrase, passwords and pin are obviously fake and people should always be alerted about it.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Yep, these phishing attempts are now the never-ending story. I saw one on my spam folder this past weekend, with a content similar to this:

Quote
From: ledger Alerts [email protected]

Your Ledger Hardware Wallet has been deactivated.

Unfortunately, due to the new KYC policy, you are required to confirm your identity:
https[colon]//docs[dot]google[dot]com/document/d/e/2PACX-1vQjTM5NpOsIYz97qt6Bv8fdTUfMBReCqiBkilPtyKxqN5BSuGVEa7wWF5butVwiI-y1h-qN7oTMKCur/pub?embedded=true

Ledger Verification TeamW67PT8Q04WK-994
The above wasn’t the exact content I received (the above content was reported on Reddit). The sender is different, the inner link is also different, and the Team reference differs. I haven’t seen the above case reported too widely on the internet, so again, we can be sure they are using variations of the content, but not certain about whether these variations are meant to be nominal/personal or just different batches.

Additionally, I was referenced in my spam-blocked email in the BCC field, being able to see the intended main recipient’s email in full (likely therefore, another Ledger customer). This means that, likely, any email may have been included as recipient or BCC, giving cross-visibility to other leaked emails. 
hero member
Activity: 1344
Merit: 540
Ongoing phishing campaign - WARNING Ledger scam email be aware!

website:
Code:
http://ledġẹr.com/
xn--ledr-dxa0756b.com

Supposedly contact and support email address:

Code:

legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Today’s new Smishing wave bears the following message:
Quote
Your hardware wallet has been deactivated. Due to the new KYC regulations, you are required to pass verification: ledger[dot]com[dot]device[dot]id[dot]nnnnnn[dot]app/verification
Where "nnnnnn" is a six figure digit, which I’ve yet to see if it is customized or generic. The subsequent screens on the site are the same as described in the OP (I've only seen the error code change at the top of the page, in relation to the one shown in the OP).

Again, the numeric id does not seem to be personal (I've tried of bunch of different numerical variants that do not result in a valid domain), but I can’t attest to that as an empirical fact. As more reports roll in reports over the internet, I’ll be able to contrast the reported ID in the domain.

KYC of all the lame excuses, being used as a move to action …
legendary
Activity: 2170
Merit: 1789
There are anti-fishing extensions for browsers  that may help  protect against such tricks. Everyone is free to install them.
Most of the time they depend on a database, so if a new website is not yet included in the database it might be useless. The best protection is to be aware of the phishing e-mail/message and just ignore it.
hero member
Activity: 3024
Merit: 680
★Bitvest.io★ Play Plinko or Invest!
I own a Ledger but luckily I haven't received that kind of sms.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Thanks for the up.
It's the after effect of the hack.  Ledger users are receiving emails, receiving SMS from scammers and I suspect these scammers are the same people who hacked their database and sold it in black-market.
Yeah, for sure they were the same people.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.
Of course, but the thing is at least one or two people will prolly click the link, maybe those who were not aware of the data breach or those who don't really verify information when they receive them, but just go ahead to trust it; I know ledger owe it to their customers to make sure they keep them abreast with information and follow up if their data was leaked to the black market and warn them to be on the look out for phishing attempts, but users as well, should take responsibility and avoid clicking random links without proper verification, after all a hw wallet doesn't automatically mean you should forget security protocols as any little folly of yours would still amount to your funds being gone.
I just hope that no one would ever click the link even those people who are not aware of the breach. I'm sure that many Ledger owners are responsible and won't bite on those baits.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Ledger claimed back in July that, besides the 1M breached emails, there was an aditional subset of 9.500 customers, whose personal data was also exposed (name, surname, postal address, phone, purchases). Those 9.500 customers allegedly received a dedicated specific email to state the above.

I can attest that either the above email protocol was not carried out properly, or what’s much more likely, Ledger is not aware of, or has covered up, the real extent of personal data records breached. There a multiple reports of people that state not receiving the dedicated email, and yet did receive one or multiple nominal phishing attempt. I include myself amongst these.
legendary
Activity: 2212
Merit: 7064
Thats what you get when you pay for ledger device.
You basically gave your data, phone number and address to scammer hackers, and even paid them to do it, because ledger founders are amateurs working in some village garage.
I sent them email asking about this issue and I only got stupid automatic machine generic answer, and they are deleting and locking many topic on reddit, like this one OP posted for example.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Heads up to those receiving these SMS messages and emails: since the mobile numbers and SMSs has leaked, it's most likely just going to get worse from here. It'd probably be wise to already change email addresses and mobile numbers.
legendary
Activity: 2184
Merit: 1302
As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.
Of course, but the thing is at least one or two people will prolly click the link, maybe those who were not aware of the data breach or those who don't really verify information when they receive them, but just go ahead to trust it; I know ledger owe it to their customers to make sure they keep them abreast with information and follow up if their data was leaked to the black market and warn them to be on the look out for phishing attempts, but users as well, should take responsibility and avoid clicking random links without proper verification, after all a hw wallet doesn't automatically mean you should forget security protocols as any little folly of yours would still amount to your funds being gone.
legendary
Activity: 2464
Merit: 3878
Hire Bitcointalk Camp. Manager @ r7promotions.com
I own a Ledger but luckily I haven't received that kind of sms.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Thanks for the up.
It's the after effect of the hack.  Ledger users are receiving emails, receiving SMS from scammers and I suspect these scammers are the same people who hacked their database and sold it in black-market.
hero member
Activity: 3024
Merit: 680
★Bitvest.io★ Play Plinko or Invest!
I own a Ledger but luckily I haven't received that kind of sms.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Thanks for the up.
legendary
Activity: 2702
Merit: 3045
Top Crypto Casino
I assume the attackers got the customers' mobile numbers from the recent data breach!
This sounds more dangerous than the email phishing attack. Phishing sms are less common and most users aren't aware of such attack, so I expect many will be tricked this time.
Seriously Ledger team has to do something to stop this but I don't know how they are going to reach out to more than 1 million customers!
member
Activity: 91
Merit: 35
This is now a massive attack on Ledger users which is quite tricky. Seeing they've tried multiple times to steal from ledger users, most people won't fall for this. Ledger still need to alert their users appropriately about this phishing attempts and also things to look out for to be safe. I ordered and receive my ledger nano two days ago and haven't even opened it , waiting for all these scamming attempt to blow over first.

People just need to be very alert especially when phishing email/text is sent to them. They need to always triple check these things
legendary
Activity: 2114
Merit: 2248
Playgram - The Telegram Casino
For those not aware; earlier this year ledger website was hacked, exposing sensitive details of a number of users to a malicious third party - https://news.bitcoin.com/crypto-hardware-wallet-firm-ledger-hacked-one-million-customer-emails-exposed/ The breach was solved, but the information were already exposed, those details are now being used to carry out personalized phishing attempts.

I could not find any news about the affected users being messaged and warned of their data leak inorder for them to take precaution and disregard any unsolicited messages, as some of them could have likely missed the publication. I assumed this would be safe practice to protect victims of the hack.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Carry on phishing attempts after data breach..
 
Some Ledger customers have started to receive today a new phishing SMS, with the following pretext (or similar) (*):

Code:
Name Surname Withdrawl request from new Device (IP China, Macau). 
Edit or Cancel details: ledger[dot]com-device[dot]id73457[dot]app/activity
The Id does not seem to be unique per recipient, as I’ve seen a couple of different people receive the same message (and played round with the URL to see it another number led to the site).

The URL takes you to a fake Ledger site, where, once you select your model, it asks you to plug-in your device. No real need to though. It then leads you on to the following screen:



No need to say what will happen if anyone proceeds to provide the above information...

See: https://www.reddit.com/r/ledgerwallet/comments/k2tb69/unknown_withdrawal_request_sms/

(*) I have not seen any prior message on the forum reporting this specific URL provided in the received SMS.
Jump to: