New wave of scam targets Ledger's customers.

Z-tight

legendary

Activity: 994

Merit: 1089

Quote from: satscraper on December 18, 2024, 08:30:00 AM

It seems like scammers smell every Ledger's user as such a gump ^{Did you watch "Forrest Gump"?} . Grin

Ledger customers cannot catch a break, ever since the data breach of 2020, it has been from one phishing attack to the other; on top of that Ledger is not even a reconmended wallet to use anymore, for obvious reasons.

This latest phishing attack should be easy to avoid, the scammers didn't even put any effort into this, lol, who falls for 'verify your seed phrase', if truly there's been a security breach, the right thing to do is to move your funds into a safe wallet, and not to 'verify your seed phrase' online, lol.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: satscraper on December 18, 2024, 08:30:00 AM

~snip~
It seems like scammers smell every Ledger's user as such a gump ^{Did you watch "Forrest Gump"?} . Grin

Given that they have a database of over a million potential users, from time to time there is always someone who tries to catch at least one of them in this way. Only one is enough if it has a nice balance that can be considered a real jack pot. However, anyone who buys HW without understanding what a seed is and how to use it correctly and safely can sooner or later become a victim of seed stealers.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: satscraper on December 18, 2024, 08:30:00 AM

It even checks if each entered word is consistent with BIP39 list.

Either they want to make it more convincing or they don't want to bother with people flooding their websites with fake seeds, which is quite ironic considering they basically want to steal money. This just adds more fuel to the fire for Ledger, considering I saw a few popular posts on Twitter complaining they lost money from their Nano S. Not sure if they fell for this scam or there's another exploit, or the users forget they store their seed phrase online.

satscraper

hero member

Activity: 714

Merit: 1298

Topic continues to ring true as scammers don't give too much peace to Ledger's simpletons and spread new phishing emails with "fake data breach notifications". It bears noting, scammers took the time and effort to develop fishing site which pretends to look like official :

Quote from: https://www.bleepingcomputer.com/news/security/new-fake-ledger-data-breach-emails-try-to-steal-crypto-wallets/

It even checks if each entered word is consistent with BIP39 list.

It seems like scammers smell every Ledger's user as such a gump ^{Did you watch "Forrest Gump"?} . Grin

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Synchronice on November 05, 2024, 06:33:15 AM

It's incredibly hard to imagine to fall into these scams for you and me but if you think deeply, you'll understand that the majority of people will easily fall into such scam.
~snip~

That's why I always say that first you need to understand what you are investing in in order to be able to protect your investment. Unfortunately, some people think that investing in a hardware wallet and storing their cryptocurrencies on it is all they need to do. Then they do stupid things like saving their seed in the cloud, e-mail or as a plain text document on the computer and they don't realize how much of a risk they are taking by doing so.

Even if they avoid such mistakes, the question is whether they will be able to remain calm and not believe in fake e-mails, calls, SMS messages or letters from the tax administration that they have to pay tax on cryptocurrencies via a crypto ATM.

Ledger has given all these scammers everything they need to target their victims very easily - and if they don't succeed in an easy way, you should always be prepared for a physical attack - so always be ready to protect yourself by all possible means.

Synchronice

hero member

Activity: 882

Merit: 792

Watch Bitcoin Documentary - https://t.ly/v0Nim

Quote from: satscraper on October 16, 2024, 01:42:19 AM

Those, who still use Ledger wallets, be careful to not fall into this scam.

Those, who use Ledger, already fall into scam but those who fall into this scam, they fall into double scam. I'd only keep Ledger if someone gifted me or I won it in a contest and even in this case, I'd only use it to keep some altcoins that I can afford to lose.

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Some people have their first contact with bitcoin and altcoins through these devices and have no basic understanding of how the BIP-39 key derivation scheme works and the consequences, such as total loss of funds after exposing a seed online.

That's why these types of phishing still exist, because unfortunately they are making many victims. I'm afraid that people who have hardware wallets are the easiest to rob.

It's incredibly hard to imagine to fall into these scams for you and me but if you think deeply, you'll understand that the majority of people will easily fall into such scam. First of all, people don't verify, the fact that being number 1-5 in Google search engine guarantees a huge profit proves that people don't verify. And this scam is a very smart and professional scam. They learnt Ledger's policy, communication language, the way they introduce news and the type of news they introduce and used that as an advantage to scam people.
After Ledger Recover implementation, such an email text would seem a logical mail from Ledger for many users.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Lucius on November 04, 2024, 06:01:35 AM

I guess so, because just one naive user with a fat balance who will fall for such a cheap trick is a great success for whoever is behind such e-mails.

Exactly. Such phishing campaigns don't need a huge percentage of victims to be considered successful. If 1 out of 10000 receivers falls for it and provides the scammers with the needed information to steal a 5/6 or more digits amount (in fiat terms), that's a successful phishing campaign. It's better than a 50% success rate with only 10 sent emails where you got $100 from each victim.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: PX-Z on November 03, 2024, 11:55:11 AM

~snip~

Even before bad things started happening with their company, I remember that some of their e-mails went straight to the spam folder when it came to Gmail - because they simply sent too many e-mails with literally the same content. In addition, every user of the respective e-mail provider can block e-mails even by keywords, so that the majority of such phishing scams can also be sent directly to the trash.

Quote from: Pmalek on November 03, 2024, 11:43:14 AM

~snip~
It's true that sending such emails isn't hard work but I am sure it still works to some extent.

I guess so, because just one naive user with a fat balance who will fall for such a cheap trick is a great success for whoever is behind such e-mails.

PX-Z

hero member

Activity: 1554

Merit: 880

Notify wallet transaction @txnNotifierBot

Quote from: Pmalek on November 03, 2024, 11:43:14 AM

Quote from: bitmover on October 17, 2024, 02:59:07 PM

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

Don't be so sure about that. The world will always have enough of gullible people who believe in such fairytales. If that wasn't the case, scammers wouldn't waste time with this type of attack and do something else. It's true that sending such emails isn't hard work but I am sure it still works to some extent.

For users who uses gmail, probably these emails eventually moved to spams for their strong spam detector and users won't bother to open their spam emails. Idk other email providers have this kind of feature too. Also if the email doesn't look like from ledger.com, that's pretty obvious.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: bitmover on October 17, 2024, 02:59:07 PM

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

Don't be so sure about that. The world will always have enough of gullible people who believe in such fairytales. If that wasn't the case, scammers wouldn't waste time with this type of attack and do something else. It's true that sending such emails isn't hard work but I am sure it still works to some extent.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: satscraper on October 24, 2024, 02:49:54 AM

This is not to necessarily suggests that any user will be safe. If user is just dumb dumb dumb he may share ^{(on the fishing site or somewhere else )}his SEED even for the Internet-blind hardware wallet. However, I'm agreed, air-gapped devices ^{(like mine Passport2)} are better opt for those who wanna mitigates the risks exposed to their stash.

I actually think that a good exchange (i.e. not Binance, OKX, Gate etc but something like privacy-invading Coinbase Shocked

) are better for dumb dumb dumb users because even though they are custodial, they will at least give you many warnings not to share your credentials with anyone, and then a competent exchange will implement lots of security measures like 2FA, confirmation before withdraw, maybe even a sort of KYC like facial scan before you can log into a new device. That last one is something I've heard of Revolut doing, and it sounds like it can help really naive people who are vulnerable to scammers.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: NotATether on October 24, 2024, 01:24:26 AM

An ideal hardware wallet should function without connecting to the internet at all, including via intermediary applications on an internet-connected computer which do fetch data from the internet.

This is not to necessarily suggests that any user will be safe. If user is just dumb dumb dumb he may share ^{(on the fishing site or somewhere else )}his SEED even for the Internet-blind hardware wallet. However, I'm agreed, air-gapped devices ^{(like mine Passport2)} are better opt for those who wanna mitigates the risks exposed to their stash.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

An ideal hardware wallet should function without connecting to the internet at all, including via intermediary applications on an internet-connected computer which do fetch data from the internet.

Understanding this basic detail would save a lot of people from falling for these basic phishing emails. It's not enough to just rely on email filters to hide them for you.

sunsilk

hero member

Activity: 3038

Merit: 634

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Even if it seems a usual scam that we see on a day-to-day basis, there are customers who don't know much about crypto and have just been told to buy a ledger or hardware and take care of it.

And upon reading some scam emails, they'll feel paranoid about it and they're likely to oblige themselves and gonna follow the scammy instructions.

In general, this also probably happening in some other brands that there are email scams that are using their names to "immediate action" being sent to their victims.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Z-tight on October 16, 2024, 04:44:51 PM

Thanks for sharing this. Since they launched the ledger recover feature, scammers decided to deceive naive customers with another so-called security feature called 'clear signing', lol, it is crazy and i seriously hope nobody fell for this bullshit. While it is obvious one shouldn't be using ledger anymore, it should be more obvious to anyone who uses a hardware wallet that this is a scam and that they should not click on the link.

It doesn't relate with "the ledger recover feature". In fact to launch this fishing attack scammers jumped at the opportunity opened for them by the existence of official Ledger’s Clear Signing Initiative ^{(the main goal of which is to clarify to users some details of the smart contract they are are going to sign)}

Quote from: https://www.ledger.com/blog-ledgers-clear-signing-initiative-paving-the-way-for-safer-transactions

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

@Z-tight, most people perceive Bitcoin in a similar way to fiat and in conversations with people over the years I have often encountered questions that have no logic, such as "which bank is behind BTC?" or "can BTC be banned and its value drop to zero?"

The concept of decentralization is not something that comes easily to people's heads, because for centuries they have been taught that there are banks, governments and those who make decisions and issue money - the concept on which BTC rests is completely opposite to all that.

Being your own bank and having that responsibility is something that most people don't want - a plastic card and a four-digit PIN is such a simple concept that makes BTC extremely complicated for most.

Z-tight

legendary

Activity: 994

Merit: 1089

Quote from: Lucius on October 19, 2024, 09:10:57 AM

because at least in the EU savings deposits up to EUR 100 000 are insured by of the state.

This is another reason why people are so wrong to think keeping their money in an exchange is similar to keeping it in a bank, between the two it is very obvious that banks are safer. Crypto exchanges are more likely to collapse or go bankrupt and the chances of getting anything back is slim and could take so many years. I even wonder why people would want to use BTC the way they use fiat, they're better off just using fiat only if they are not ready to be their own bank.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: MeGold666 on October 18, 2024, 11:09:55 AM

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

True, this people should learn that banks nor any other private company are not to be trusted.

Good luck to anyone who tries to explain to the average person that they shouldn't trust institutions - because in the end most trust banks and if you ask them why, they will tell you that they feel their money is safe there, because at least in the EU savings deposits up to EUR 100 000 are insured by of the state.

On the other hand, the idea of being your own bank doesn't seem attractive to them at all - that's why for the vast majority Bitcoin has become just a get-rich scheme and that's why companies like Ledger, despite all their scandals, continue to operate as if nothing had even happened.

MeGold666

jr. member

Activity: 28

Merit: 37

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As far as I remember, they did not promise that they would not keep personal information of their clients, because by law they have the right (and possibly the obligation) to do so. The problem is that they should have kept this information in the best possible way, and not leave it to someone else who is clearly not adequate for such a job.

They did say they will not store "sensitive client information", whatever they meant by that.
I think home address is very sensitive information, they could argue they had private keys in mind...

edit: I have checked their page on archive.org before the 2020 data breach and indeed they have stated they will store user information.
Source: https://web.archive.org/web/20190331192622/https://www.ledger.com/pages/privacy-policy

I don't remember where I read it, could be unofficial. Thanks for correction on that matter.

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

True, this people should learn that banks nor any other private company are not to be trusted.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: MeGold666 on October 18, 2024, 03:46:35 AM

~snip~
The company said they would never store your information, yet they did. They lied, and people still trust them and their closed-source firmware. 😮
I may need to remind you: The whole cryptocurrency revolution is about being trustless, about not having to trust anyone, because trust is always abused.

As far as I remember, they did not promise that they would not keep personal information of their clients, because by law they have the right (and possibly the obligation) to do so. The problem is that they should have kept this information in the best possible way, and not leave it to someone else who is clearly not adequate for such a job.

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

Topic: New wave of scam targets Ledger's customers. (Read 377 times)