Topic: Ledger SMS phishing campaign - new attempt, not too subtle (Read 473 times)

It’s been a while since phishing attempts on the Ledger leaked DB have managed to surpass the spam filter on my email, but one has managed to make it through a while ago. Not too subtle, but at least the domain name has a certain feasible ring (although clearly non-official, and using a lame argument at best) that we should be wary of:


The email was sent from this address:

The allegedly lifesaving update takes you to a site, where, classical as it may be, it asks you for your 24 word mnemonic (what a surprise). The phishing site is located at the following address:

Ledger seems to have a hard time comunicating the facts properly. First, I believe that around July 2020, they informed that a data leak took place, involving 1M emails and personal contact data for 9.500 customers. By December 2020, the leak involved 272.000 customers as we know, essentially after the DB was made available on Raidforum.

These days, they’re sending out yet another Security Notice, referencing a breach on Shopify, their e-commerce partner (when purchasing on their official site, I believe the ecommerce part goes through shopify’s platform). Judging by the dates they mention in their most recent notice, Shopify was not aware that Ledger’s data has been leaded on their platform by some rouge agents until the 21/12/2020, which is the date on which the prior Security Notice was released after the Raidforum business. Nevertheless, they informed Ledger on the 23/12/2020, which does not add-up properly with the second Security Notice released around the 21/12/2020.

That would lead me to believe (dubiously) that they are talking about the same incident, albeit trying to discharge responsibility on Shopify, but they do not bind the two Security Notices together, indicating that they are referencing the same incident, providing further information in this case (or confusion).

Either I can’t interpret their intent, or they are messing-up with they way they communicate. If they are on about the same incident, make it explicit. If not, make it explicit too. I want to believe that they are on about the same incident, and that we’re not talking about two, which would seem berserk.

One has to wonder though exactly who has the customer data: Ledger, Shopify, or both. It it’s both, then this should also be known and explicit (I haven’t managed to find this on their site). Any (weak) data policy on one side is void if not carried out by the whole chain of value.


A map to incompetence:

There are probably no better phishing/smishing/sim swapping/marketing lists out there that Ledger’s leaded set of files (email, orders); certainly not for free as these now are.

Those phones and emails are going to be hit time and time again will all sorts of pretexts. There’s currently a new one on about claiming your (alleged) Bitcoin SV, which is likely ending up in the spam folder. Very likely they are targeting the Ledger email list with the Bitcoin SV excuse, not referencing the Ledger event in order to add another vector of attention and bait.

Latest:


Sample email that you are going to received, so it's a google docs now



But after you click the google docs, you will be redirected to:



And again, redirecting you to the fake and phishing Ledger site:



Source So this one is utilizing google docs and then several redirection, which might confuse Ledger user and think that this is legit.

I see that now by just comparing this Original : Fake (IO : lO) (Il). It's just right there in plain site and it tells how clever this scammers can be in hiding little details in plan sight. A skill that could be put in web designing though, the pay is relatively low but how good you are gets you in on the job.

Ledger is so going to be loosing a lot of customers if this menace to their system isn't properly handled and should a more competitive platform come along. Ledger users have now got to cut down the services they require based on details needed for verification you. You just don't have to give too much details to a third party platform.

Now the scammers are using the phone list to perform a cross-product smishing attempt. Specifically, the SMS that has recently been sent out stated:
 
Not only is the domain (IO) not the official domain, but also if you take a closer look, you’ll see (just about) that the "I" in the domain name is really a lowercap "L", that is slightly taller than the "I" -> "Il" (the former is a capital I, whilst the latter is a lowercap "L").
 
One more thing to be wary of …

This is just getting even more ridiculous. Ledger users attacks keeps happening concurrently now and sometimes ledger sends warning emails about phishing attempts late to their users hence several gullible users will fall prey to this scam. Any email that request for private keys, recovery phrase, passwords and pin are obviously fake and people should always be alerted about it.

Yep, these phishing attempts are now the never-ending story. I saw one on my spam folder this past weekend, with a content similar to this:

The above wasn’t the exact content I received (the above content was reported on Reddit). The sender is different, the inner link is also different, and the Team reference differs. I haven’t seen the above case reported too widely on the internet, so again, we can be sure they are using variations of the content, but not certain about whether these variations are meant to be nominal/personal or just different batches.

Additionally, I was referenced in my spam-blocked email in the BCC field, being able to see the intended main recipient’s email in full (likely therefore, another Ledger customer). This means that, likely, any email may have been included as recipient or BCC, giving cross-visibility to other leaked emails. 

Ongoing phishing campaign - WARNING Ledger scam email be aware!

website:
Supposedly contact and support email address:

Today’s new Smishing wave bears the following message:
Where "nnnnnn" is a six figure digit, which I’ve yet to see if it is customized or generic. The subsequent screens on the site are the same as described in the OP (I've only seen the error code change at the top of the page, in relation to the one shown in the OP).

Again, the numeric id does not seem to be personal (I've tried of bunch of different numerical variants that do not result in a valid domain), but I can’t attest to that as an empirical fact. As more reports roll in reports over the internet, I’ll be able to contrast the reported ID in the domain.

KYC of all the lame excuses, being used as a move to action …

Most of the time they depend on a database, so if a new website is not yet included in the database it might be useless. The best protection is to be aware of the phishing e-mail/message and just ignore it.

Yeah, for sure they were the same people.

I just hope that no one would ever click the link even those people who are not aware of the breach. I'm sure that many Ledger owners are responsible and won't bite on those baits.

Ledger claimed back in July that, besides the 1M breached emails, there was an aditional subset of 9.500 customers, whose personal data was also exposed (name, surname, postal address, phone, purchases). Those 9.500 customers allegedly received a dedicated specific email to state the above.

I can attest that either the above email protocol was not carried out properly, or what’s much more likely, Ledger is not aware of, or has covered up, the real extent of personal data records breached. There a multiple reports of people that state not receiving the dedicated email, and yet did receive one or multiple nominal phishing attempt. I include myself amongst these.

Thats what you get when you pay for ledger device.
You basically gave your data, phone number and address to scammer hackers, and even paid them to do it, because ledger founders are amateurs working in some village garage.
I sent them email asking about this issue and I only got stupid automatic machine generic answer, and they are deleting and locking many topic on reddit, like this one OP posted for example.

Heads up to those receiving these SMS messages and emails: since the mobile numbers and SMSs has leaked, it's most likely just going to get worse from here. It'd probably be wise to already change email addresses and mobile numbers.

Of course, but the thing is at least one or two people will prolly click the link, maybe those who were not aware of the data breach or those who don't really verify information when they receive them, but just go ahead to trust it; I know ledger owe it to their customers to make sure they keep them abreast with information and follow up if their data was leaked to the black market and warn them to be on the look out for phishing attempts, but users as well, should take responsibility and avoid clicking random links without proper verification, after all a hw wallet doesn't automatically mean you should forget security protocols as any little folly of yours would still amount to your funds being gone.

It's the after effect of the hack.  Ledger users are receiving emails, receiving SMS from scammers and I suspect these scammers are the same people who hacked their database and sold it in black-market.

I own a Ledger but luckily I haven't received that kind of sms.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Thanks for the up.

I assume the attackers got the customers' mobile numbers from the recent data breach!
This sounds more dangerous than the email phishing attack. Phishing sms are less common and most users aren't aware of such attack, so I expect many will be tricked this time.
Seriously Ledger team has to do something to stop this but I don't know how they are going to reach out to more than 1 million customers!

This is now a massive attack on Ledger users which is quite tricky. Seeing they've tried multiple times to steal from ledger users, most people won't fall for this. Ledger still need to alert their users appropriately about this phishing attempts and also things to look out for to be safe. I ordered and receive my ledger nano two days ago and haven't even opened it , waiting for all these scamming attempt to blow over first.

People just need to be very alert especially when phishing email/text is sent to them. They need to always triple check these things

For those not aware; earlier this year ledger website was hacked, exposing sensitive details of a number of users to a malicious third party - https://news.bitcoin.com/crypto-hardware-wallet-firm-ledger-hacked-one-million-customer-emails-exposed/ The breach was solved, but the information were already exposed, those details are now being used to carry out personalized phishing attempts.

I could not find any news about the affected users being messaged and warned of their data leak inorder for them to take precaution and disregard any unsolicited messages, as some of them could have likely missed the publication. I assumed this would be safe practice to protect victims of the hack.

Carry on phishing attempts after data breach..
 
Some Ledger customers have started to receive today a new phishing SMS, with the following pretext (or similar) (*):

The Id does not seem to be unique per recipient, as I’ve seen a couple of different people receive the same message (and played round with the URL to see it another number led to the site).

The URL takes you to a fake Ledger site, where, once you select your model, it asks you to plug-in your device. No real need to though. It then leads you on to the following screen:



No need to say what will happen if anyone proceeds to provide the above information...

See: https://www.reddit.com/r/ledgerwallet/comments/k2tb69/unknown_withdrawal_request_sms/

(*) I have not seen any prior message on the forum reporting this specific URL provided in the received SMS.