New wave of scam targets Ledger's customers.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Synchronice on November 05, 2024, 06:33:15 AM

It's incredibly hard to imagine to fall into these scams for you and me but if you think deeply, you'll understand that the majority of people will easily fall into such scam.
~snip~

That's why I always say that first you need to understand what you are investing in in order to be able to protect your investment. Unfortunately, some people think that investing in a hardware wallet and storing their cryptocurrencies on it is all they need to do. Then they do stupid things like saving their seed in the cloud, e-mail or as a plain text document on the computer and they don't realize how much of a risk they are taking by doing so.

Even if they avoid such mistakes, the question is whether they will be able to remain calm and not believe in fake e-mails, calls, SMS messages or letters from the tax administration that they have to pay tax on cryptocurrencies via a crypto ATM.

Ledger has given all these scammers everything they need to target their victims very easily - and if they don't succeed in an easy way, you should always be prepared for a physical attack - so always be ready to protect yourself by all possible means.

Synchronice

hero member

Activity: 882

Merit: 792

Watch Bitcoin Documentary - https://t.ly/v0Nim

Quote from: satscraper on October 16, 2024, 01:42:19 AM

Those, who still use Ledger wallets, be careful to not fall into this scam.

Those, who use Ledger, already fall into scam but those who fall into this scam, they fall into double scam. I'd only keep Ledger if someone gifted me or I won it in a contest and even in this case, I'd only use it to keep some altcoins that I can afford to lose.

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Some people have their first contact with bitcoin and altcoins through these devices and have no basic understanding of how the BIP-39 key derivation scheme works and the consequences, such as total loss of funds after exposing a seed online.

That's why these types of phishing still exist, because unfortunately they are making many victims. I'm afraid that people who have hardware wallets are the easiest to rob.

It's incredibly hard to imagine to fall into these scams for you and me but if you think deeply, you'll understand that the majority of people will easily fall into such scam. First of all, people don't verify, the fact that being number 1-5 in Google search engine guarantees a huge profit proves that people don't verify. And this scam is a very smart and professional scam. They learnt Ledger's policy, communication language, the way they introduce news and the type of news they introduce and used that as an advantage to scam people.
After Ledger Recover implementation, such an email text would seem a logical mail from Ledger for many users.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Lucius on November 04, 2024, 06:01:35 AM

I guess so, because just one naive user with a fat balance who will fall for such a cheap trick is a great success for whoever is behind such e-mails.

Exactly. Such phishing campaigns don't need a huge percentage of victims to be considered successful. If 1 out of 10000 receivers falls for it and provides the scammers with the needed information to steal a 5/6 or more digits amount (in fiat terms), that's a successful phishing campaign. It's better than a 50% success rate with only 10 sent emails where you got $100 from each victim.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: PX-Z on November 03, 2024, 11:55:11 AM

~snip~

Even before bad things started happening with their company, I remember that some of their e-mails went straight to the spam folder when it came to Gmail - because they simply sent too many e-mails with literally the same content. In addition, every user of the respective e-mail provider can block e-mails even by keywords, so that the majority of such phishing scams can also be sent directly to the trash.

Quote from: Pmalek on November 03, 2024, 11:43:14 AM

~snip~
It's true that sending such emails isn't hard work but I am sure it still works to some extent.

I guess so, because just one naive user with a fat balance who will fall for such a cheap trick is a great success for whoever is behind such e-mails.

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: Pmalek on November 03, 2024, 11:43:14 AM

Quote from: bitmover on October 17, 2024, 02:59:07 PM

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

Don't be so sure about that. The world will always have enough of gullible people who believe in such fairytales. If that wasn't the case, scammers wouldn't waste time with this type of attack and do something else. It's true that sending such emails isn't hard work but I am sure it still works to some extent.

For users who uses gmail, probably these emails eventually moved to spams for their strong spam detector and users won't bother to open their spam emails. Idk other email providers have this kind of feature too. Also if the email doesn't look like from ledger.com, that's pretty obvious.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: bitmover on October 17, 2024, 02:59:07 PM

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

Don't be so sure about that. The world will always have enough of gullible people who believe in such fairytales. If that wasn't the case, scammers wouldn't waste time with this type of attack and do something else. It's true that sending such emails isn't hard work but I am sure it still works to some extent.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: satscraper on October 24, 2024, 02:49:54 AM

This is not to necessarily suggests that any user will be safe. If user is just dumb dumb dumb he may share ^{(on the fishing site or somewhere else )}his SEED even for the Internet-blind hardware wallet. However, I'm agreed, air-gapped devices ^{(like mine Passport2)} are better opt for those who wanna mitigates the risks exposed to their stash.

I actually think that a good exchange (i.e. not Binance, OKX, Gate etc but something like privacy-invading Coinbase Shocked

) are better for dumb dumb dumb users because even though they are custodial, they will at least give you many warnings not to share your credentials with anyone, and then a competent exchange will implement lots of security measures like 2FA, confirmation before withdraw, maybe even a sort of KYC like facial scan before you can log into a new device. That last one is something I've heard of Revolut doing, and it sounds like it can help really naive people who are vulnerable to scammers.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: NotATether on October 24, 2024, 01:24:26 AM

An ideal hardware wallet should function without connecting to the internet at all, including via intermediary applications on an internet-connected computer which do fetch data from the internet.

This is not to necessarily suggests that any user will be safe. If user is just dumb dumb dumb he may share ^{(on the fishing site or somewhere else )}his SEED even for the Internet-blind hardware wallet. However, I'm agreed, air-gapped devices ^{(like mine Passport2)} are better opt for those who wanna mitigates the risks exposed to their stash.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

An ideal hardware wallet should function without connecting to the internet at all, including via intermediary applications on an internet-connected computer which do fetch data from the internet.

Understanding this basic detail would save a lot of people from falling for these basic phishing emails. It's not enough to just rely on email filters to hide them for you.

sunsilk

hero member

Activity: 3038

Merit: 634

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Even if it seems a usual scam that we see on a day-to-day basis, there are customers who don't know much about crypto and have just been told to buy a ledger or hardware and take care of it.

And upon reading some scam emails, they'll feel paranoid about it and they're likely to oblige themselves and gonna follow the scammy instructions.

In general, this also probably happening in some other brands that there are email scams that are using their names to "immediate action" being sent to their victims.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Z-tight on October 16, 2024, 04:44:51 PM

Thanks for sharing this. Since they launched the ledger recover feature, scammers decided to deceive naive customers with another so-called security feature called 'clear signing', lol, it is crazy and i seriously hope nobody fell for this bullshit. While it is obvious one shouldn't be using ledger anymore, it should be more obvious to anyone who uses a hardware wallet that this is a scam and that they should not click on the link.

It doesn't relate with "the ledger recover feature". In fact to launch this fishing attack scammers jumped at the opportunity opened for them by the existence of official Ledger’s Clear Signing Initiative ^{(the main goal of which is to clarify to users some details of the smart contract they are are going to sign)}

Quote from: https://www.ledger.com/blog-ledgers-clear-signing-initiative-paving-the-way-for-safer-transactions

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

@Z-tight, most people perceive Bitcoin in a similar way to fiat and in conversations with people over the years I have often encountered questions that have no logic, such as "which bank is behind BTC?" or "can BTC be banned and its value drop to zero?"

The concept of decentralization is not something that comes easily to people's heads, because for centuries they have been taught that there are banks, governments and those who make decisions and issue money - the concept on which BTC rests is completely opposite to all that.

Being your own bank and having that responsibility is something that most people don't want - a plastic card and a four-digit PIN is such a simple concept that makes BTC extremely complicated for most.

Z-tight

hero member

Activity: 994

Merit: 1089

Quote from: Lucius on October 19, 2024, 09:10:57 AM

because at least in the EU savings deposits up to EUR 100 000 are insured by of the state.

This is another reason why people are so wrong to think keeping their money in an exchange is similar to keeping it in a bank, between the two it is very obvious that banks are safer. Crypto exchanges are more likely to collapse or go bankrupt and the chances of getting anything back is slim and could take so many years. I even wonder why people would want to use BTC the way they use fiat, they're better off just using fiat only if they are not ready to be their own bank.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: MeGold666 on October 18, 2024, 11:09:55 AM

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

True, this people should learn that banks nor any other private company are not to be trusted.

Good luck to anyone who tries to explain to the average person that they shouldn't trust institutions - because in the end most trust banks and if you ask them why, they will tell you that they feel their money is safe there, because at least in the EU savings deposits up to EUR 100 000 are insured by of the state.

On the other hand, the idea of being your own bank doesn't seem attractive to them at all - that's why for the vast majority Bitcoin has become just a get-rich scheme and that's why companies like Ledger, despite all their scandals, continue to operate as if nothing had even happened.

MeGold666

jr. member

Activity: 28

Merit: 37

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As far as I remember, they did not promise that they would not keep personal information of their clients, because by law they have the right (and possibly the obligation) to do so. The problem is that they should have kept this information in the best possible way, and not leave it to someone else who is clearly not adequate for such a job.

They did say they will not store "sensitive client information", whatever they meant by that.
I think home address is very sensitive information, they could argue they had private keys in mind...

edit: I have checked their page on archive.org before the 2020 data breach and indeed they have stated they will store user information.
Source: https://web.archive.org/web/20190331192622/https://www.ledger.com/pages/privacy-policy

I don't remember where I read it, could be unofficial. Thanks for correction on that matter.

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

True, this people should learn that banks nor any other private company are not to be trusted.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: MeGold666 on October 18, 2024, 03:46:35 AM

~snip~
The company said they would never store your information, yet they did. They lied, and people still trust them and their closed-source firmware. 😮
I may need to remind you: The whole cryptocurrency revolution is about being trustless, about not having to trust anyone, because trust is always abused.

As far as I remember, they did not promise that they would not keep personal information of their clients, because by law they have the right (and possibly the obligation) to do so. The problem is that they should have kept this information in the best possible way, and not leave it to someone else who is clearly not adequate for such a job.

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

MeGold666

jr. member

Activity: 28

Merit: 37

I've always said it's safer to be a fish in the ocean than a shark in a tank.

Do yourself a favor and learn how to securely use an air-gapped PC. It takes about an hour for a total beginner to understand, and it's knowledge that will last a lifetime without needing to trust hardware wallet companies.

For small amounts, you can use your phone and Cake Wallet or whatever you prefer.

Phishing attacks are not the fault of hardware wallets, and if you're vulnerable to such threats, you'll get hacked anyway.
Just saying, having an old dedicated laptop is still safer than dealing with these companies.

Quote from: Lucius on October 17, 2024, 05:28:13 AM

...The database that leaked from Ledger is used constantly, and the fact that someone emphasized this news is nothing specific, because everything always boils down to the same thing.

The company said they would never store your information, yet they did. They lied, and people still trust them and their closed-source firmware. 😮
I may need to remind you: The whole cryptocurrency revolution is about being trustless, about not having to trust anyone, because trust is always abused.

Any software that is not open-source and not audited should not be trusted, not only in cryptocurrency but in general.

With hardware wallets (or any closed source projects), you're not the owner of the coins; you're the user, and the company behind it is the owner, controlling what happens inside that black box.

Floxynice

member

Activity: 47

Merit: 12

Quote from: satscraper on October 16, 2024, 01:42:19 AM

This time it is fraudulent "Ledger Clear Signing" chuck which urges customers to activate this feature to make Ledger wallet continuously working. Involved scammers disseminate this mock via emails which sets deadline October 31 after which ^{(as they said)} "users that failing to activate this feature will prevent them from using their devices securely." In fact, this email has a link that leads to a fishing site, the aim being to get sensitive info from users ^{("which can give scammers access to their cryptocurrency wallets')}.

Those, who still use Ledger wallets, be careful to not fall into this scam.

Thanks OP for this information

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Not everyone who have coins stored in wallets really understand how the wallets work. Some people who have very little education about wallets and how scammers operate will easily fall for these scams. Constant efforts in exposing these scam patterns just like OP has just done is what some people need to remain vigilant.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

The point is that sending an e-mail is basically free, and as they already have the data of potential victims, they will just keep sending them. If just one person clicks the bait, they make money....

m2017

legendary

Activity: 1792

Merit: 1296

Crypto Casino and Sportsbook

Quote from: Charles-Tim on October 16, 2024, 03:47:55 AM

This can be somehow off-topic but it is still worth posting about. That it is better not to use Ledger devices anymore. Ledger Nano is now an online wallet that gives the option for people to save their seed phrase online with third parties. Not worth using anymore and not worth buying.

Of course, the best solution in light of the already formed negative public opinion in crypto community about the Ledger company would be to simply not use the ledger devices. But I believe that such incidents should be voiced in order to inform the community for preventive purposes. As a reminder of phishing, which is one of the most common ways to lose cryptocurrency.

At first glance, Ledger is not involved in the "Ledger Clear Signing", because scammers who send phishing letters are as old as the Internet itself. But there is one nuance, which is that these letters are sent to users of ledger devices on purpose, which is reminiscent of the previous leak of the client base of this company.

Topic: New wave of scam targets Ledger's customers. (Read 317 times)