New wave of scam targets Ledger's customers.

Z-tight

legendary

Activity: 1106

Merit: 1124

Wheel of Whales 🐳

Quote from: satscraper on December 18, 2024, 08:30:00 AM

It seems like scammers smell every Ledger's user as such a gump ^{Did you watch "Forrest Gump"?} . Grin

Ledger customers cannot catch a break, ever since the data breach of 2020, it has been from one phishing attack to the other; on top of that Ledger is not even a reconmended wallet to use anymore, for obvious reasons.

This latest phishing attack should be easy to avoid, the scammers didn't even put any effort into this, lol, who falls for 'verify your seed phrase', if truly there's been a security breach, the right thing to do is to move your funds into a safe wallet, and not to 'verify your seed phrase' online, lol.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: satscraper on December 18, 2024, 08:30:00 AM

~snip~
It seems like scammers smell every Ledger's user as such a gump ^{Did you watch "Forrest Gump"?} . Grin

Given that they have a database of over a million potential users, from time to time there is always someone who tries to catch at least one of them in this way. Only one is enough if it has a nice balance that can be considered a real jack pot. However, anyone who buys HW without understanding what a seed is and how to use it correctly and safely can sooner or later become a victim of seed stealers.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: satscraper on December 18, 2024, 08:30:00 AM

It even checks if each entered word is consistent with BIP39 list.

Either they want to make it more convincing or they don't want to bother with people flooding their websites with fake seeds, which is quite ironic considering they basically want to steal money. This just adds more fuel to the fire for Ledger, considering I saw a few popular posts on Twitter complaining they lost money from their Nano S. Not sure if they fell for this scam or there's another exploit, or the users forget they store their seed phrase online.

satscraper

hero member

Activity: 714

Merit: 1298

Topic continues to ring true as scammers don't give too much peace to Ledger's simpletons and spread new phishing emails with "fake data breach notifications". It bears noting, scammers took the time and effort to develop fishing site which pretends to look like official :

Quote from: https://www.bleepingcomputer.com/news/security/new-fake-ledger-data-breach-emails-try-to-steal-crypto-wallets/

It even checks if each entered word is consistent with BIP39 list.

It seems like scammers smell every Ledger's user as such a gump ^{Did you watch "Forrest Gump"?} . Grin

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Synchronice on November 05, 2024, 06:33:15 AM

It's incredibly hard to imagine to fall into these scams for you and me but if you think deeply, you'll understand that the majority of people will easily fall into such scam.
~snip~

That's why I always say that first you need to understand what you are investing in in order to be able to protect your investment. Unfortunately, some people think that investing in a hardware wallet and storing their cryptocurrencies on it is all they need to do. Then they do stupid things like saving their seed in the cloud, e-mail or as a plain text document on the computer and they don't realize how much of a risk they are taking by doing so.

Even if they avoid such mistakes, the question is whether they will be able to remain calm and not believe in fake e-mails, calls, SMS messages or letters from the tax administration that they have to pay tax on cryptocurrencies via a crypto ATM.

Ledger has given all these scammers everything they need to target their victims very easily - and if they don't succeed in an easy way, you should always be prepared for a physical attack - so always be ready to protect yourself by all possible means.

Synchronice

hero member

Activity: 882

Merit: 792

Watch Bitcoin Documentary - https://t.ly/v0Nim

Quote from: satscraper on October 16, 2024, 01:42:19 AM

Those, who still use Ledger wallets, be careful to not fall into this scam.

Those, who use Ledger, already fall into scam but those who fall into this scam, they fall into double scam. I'd only keep Ledger if someone gifted me or I won it in a contest and even in this case, I'd only use it to keep some altcoins that I can afford to lose.

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Some people have their first contact with bitcoin and altcoins through these devices and have no basic understanding of how the BIP-39 key derivation scheme works and the consequences, such as total loss of funds after exposing a seed online.

That's why these types of phishing still exist, because unfortunately they are making many victims. I'm afraid that people who have hardware wallets are the easiest to rob.

It's incredibly hard to imagine to fall into these scams for you and me but if you think deeply, you'll understand that the majority of people will easily fall into such scam. First of all, people don't verify, the fact that being number 1-5 in Google search engine guarantees a huge profit proves that people don't verify. And this scam is a very smart and professional scam. They learnt Ledger's policy, communication language, the way they introduce news and the type of news they introduce and used that as an advantage to scam people.
After Ledger Recover implementation, such an email text would seem a logical mail from Ledger for many users.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Lucius on November 04, 2024, 06:01:35 AM

I guess so, because just one naive user with a fat balance who will fall for such a cheap trick is a great success for whoever is behind such e-mails.

Exactly. Such phishing campaigns don't need a huge percentage of victims to be considered successful. If 1 out of 10000 receivers falls for it and provides the scammers with the needed information to steal a 5/6 or more digits amount (in fiat terms), that's a successful phishing campaign. It's better than a 50% success rate with only 10 sent emails where you got $100 from each victim.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: PX-Z on November 03, 2024, 11:55:11 AM

~snip~

Even before bad things started happening with their company, I remember that some of their e-mails went straight to the spam folder when it came to Gmail - because they simply sent too many e-mails with literally the same content. In addition, every user of the respective e-mail provider can block e-mails even by keywords, so that the majority of such phishing scams can also be sent directly to the trash.

Quote from: Pmalek on November 03, 2024, 11:43:14 AM

~snip~
It's true that sending such emails isn't hard work but I am sure it still works to some extent.

I guess so, because just one naive user with a fat balance who will fall for such a cheap trick is a great success for whoever is behind such e-mails.

PX-Z

legendary

Activity: 1554

Merit: 880

Wallet transaction notifier @txnNotifierBot

Quote from: Pmalek on November 03, 2024, 11:43:14 AM

Quote from: bitmover on October 17, 2024, 02:59:07 PM

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

Don't be so sure about that. The world will always have enough of gullible people who believe in such fairytales. If that wasn't the case, scammers wouldn't waste time with this type of attack and do something else. It's true that sending such emails isn't hard work but I am sure it still works to some extent.

For users who uses gmail, probably these emails eventually moved to spams for their strong spam detector and users won't bother to open their spam emails. Idk other email providers have this kind of feature too. Also if the email doesn't look like from ledger.com, that's pretty obvious.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: bitmover on October 17, 2024, 02:59:07 PM

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

Don't be so sure about that. The world will always have enough of gullible people who believe in such fairytales. If that wasn't the case, scammers wouldn't waste time with this type of attack and do something else. It's true that sending such emails isn't hard work but I am sure it still works to some extent.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: satscraper on October 24, 2024, 02:49:54 AM

This is not to necessarily suggests that any user will be safe. If user is just dumb dumb dumb he may share ^{(on the fishing site or somewhere else )}his SEED even for the Internet-blind hardware wallet. However, I'm agreed, air-gapped devices ^{(like mine Passport2)} are better opt for those who wanna mitigates the risks exposed to their stash.

I actually think that a good exchange (i.e. not Binance, OKX, Gate etc but something like privacy-invading Coinbase Shocked

) are better for dumb dumb dumb users because even though they are custodial, they will at least give you many warnings not to share your credentials with anyone, and then a competent exchange will implement lots of security measures like 2FA, confirmation before withdraw, maybe even a sort of KYC like facial scan before you can log into a new device. That last one is something I've heard of Revolut doing, and it sounds like it can help really naive people who are vulnerable to scammers.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: NotATether on October 24, 2024, 01:24:26 AM

An ideal hardware wallet should function without connecting to the internet at all, including via intermediary applications on an internet-connected computer which do fetch data from the internet.

This is not to necessarily suggests that any user will be safe. If user is just dumb dumb dumb he may share ^{(on the fishing site or somewhere else )}his SEED even for the Internet-blind hardware wallet. However, I'm agreed, air-gapped devices ^{(like mine Passport2)} are better opt for those who wanna mitigates the risks exposed to their stash.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

An ideal hardware wallet should function without connecting to the internet at all, including via intermediary applications on an internet-connected computer which do fetch data from the internet.

Understanding this basic detail would save a lot of people from falling for these basic phishing emails. It's not enough to just rely on email filters to hide them for you.

sunsilk

hero member

Activity: 3038

Merit: 634

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Even if it seems a usual scam that we see on a day-to-day basis, there are customers who don't know much about crypto and have just been told to buy a ledger or hardware and take care of it.

And upon reading some scam emails, they'll feel paranoid about it and they're likely to oblige themselves and gonna follow the scammy instructions.

In general, this also probably happening in some other brands that there are email scams that are using their names to "immediate action" being sent to their victims.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Z-tight on October 16, 2024, 04:44:51 PM

Thanks for sharing this. Since they launched the ledger recover feature, scammers decided to deceive naive customers with another so-called security feature called 'clear signing', lol, it is crazy and i seriously hope nobody fell for this bullshit. While it is obvious one shouldn't be using ledger anymore, it should be more obvious to anyone who uses a hardware wallet that this is a scam and that they should not click on the link.

It doesn't relate with "the ledger recover feature". In fact to launch this fishing attack scammers jumped at the opportunity opened for them by the existence of official Ledger’s Clear Signing Initiative ^{(the main goal of which is to clarify to users some details of the smart contract they are are going to sign)}

Quote from: https://www.ledger.com/blog-ledgers-clear-signing-initiative-paving-the-way-for-safer-transactions

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

@Z-tight, most people perceive Bitcoin in a similar way to fiat and in conversations with people over the years I have often encountered questions that have no logic, such as "which bank is behind BTC?" or "can BTC be banned and its value drop to zero?"

The concept of decentralization is not something that comes easily to people's heads, because for centuries they have been taught that there are banks, governments and those who make decisions and issue money - the concept on which BTC rests is completely opposite to all that.

Being your own bank and having that responsibility is something that most people don't want - a plastic card and a four-digit PIN is such a simple concept that makes BTC extremely complicated for most.

Z-tight

legendary

Activity: 1106

Merit: 1124

Wheel of Whales 🐳

Quote from: Lucius on October 19, 2024, 09:10:57 AM

because at least in the EU savings deposits up to EUR 100 000 are insured by of the state.

This is another reason why people are so wrong to think keeping their money in an exchange is similar to keeping it in a bank, between the two it is very obvious that banks are safer. Crypto exchanges are more likely to collapse or go bankrupt and the chances of getting anything back is slim and could take so many years. I even wonder why people would want to use BTC the way they use fiat, they're better off just using fiat only if they are not ready to be their own bank.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: MeGold666 on October 18, 2024, 11:09:55 AM

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

True, this people should learn that banks nor any other private company are not to be trusted.

Good luck to anyone who tries to explain to the average person that they shouldn't trust institutions - because in the end most trust banks and if you ask them why, they will tell you that they feel their money is safe there, because at least in the EU savings deposits up to EUR 100 000 are insured by of the state.

On the other hand, the idea of being your own bank doesn't seem attractive to them at all - that's why for the vast majority Bitcoin has become just a get-rich scheme and that's why companies like Ledger, despite all their scandals, continue to operate as if nothing had even happened.

MeGold666

member

Activity: 28

Merit: 37

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As far as I remember, they did not promise that they would not keep personal information of their clients, because by law they have the right (and possibly the obligation) to do so. The problem is that they should have kept this information in the best possible way, and not leave it to someone else who is clearly not adequate for such a job.

They did say they will not store "sensitive client information", whatever they meant by that.
I think home address is very sensitive information, they could argue they had private keys in mind...

edit: I have checked their page on archive.org before the 2020 data breach and indeed they have stated they will store user information.
Source: https://web.archive.org/web/20190331192622/https://www.ledger.com/pages/privacy-policy

I don't remember where I read it, could be unofficial. Thanks for correction on that matter.

Quote from: Lucius on October 18, 2024, 08:10:15 AM

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

True, this people should learn that banks nor any other private company are not to be trusted.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: MeGold666 on October 18, 2024, 03:46:35 AM

~snip~
The company said they would never store your information, yet they did. They lied, and people still trust them and their closed-source firmware. 😮
I may need to remind you: The whole cryptocurrency revolution is about being trustless, about not having to trust anyone, because trust is always abused.

As far as I remember, they did not promise that they would not keep personal information of their clients, because by law they have the right (and possibly the obligation) to do so. The problem is that they should have kept this information in the best possible way, and not leave it to someone else who is clearly not adequate for such a job.

As for trust, it's pointless to talk about it when a lot of people who invest in cryptocurrencies don't really understand what they're investing in at all. For many, every CEX is equal to a bank, until something bad happens and they realize how wrong they were.

MeGold666

member

Activity: 28

Merit: 37

I've always said it's safer to be a fish in the ocean than a shark in a tank.

Do yourself a favor and learn how to securely use an air-gapped PC. It takes about an hour for a total beginner to understand, and it's knowledge that will last a lifetime without needing to trust hardware wallet companies.

For small amounts, you can use your phone and Cake Wallet or whatever you prefer.

Phishing attacks are not the fault of hardware wallets, and if you're vulnerable to such threats, you'll get hacked anyway.
Just saying, having an old dedicated laptop is still safer than dealing with these companies.

Quote from: Lucius on October 17, 2024, 05:28:13 AM

...The database that leaked from Ledger is used constantly, and the fact that someone emphasized this news is nothing specific, because everything always boils down to the same thing.

The company said they would never store your information, yet they did. They lied, and people still trust them and their closed-source firmware. 😮
I may need to remind you: The whole cryptocurrency revolution is about being trustless, about not having to trust anyone, because trust is always abused.

Any software that is not open-source and not audited should not be trusted, not only in cryptocurrency but in general.

With hardware wallets (or any closed source projects), you're not the owner of the coins; you're the user, and the company behind it is the owner, controlling what happens inside that black box.

Floxynice

full member

Activity: 108

Merit: 34

Quote from: satscraper on October 16, 2024, 01:42:19 AM

This time it is fraudulent "Ledger Clear Signing" chuck which urges customers to activate this feature to make Ledger wallet continuously working. Involved scammers disseminate this mock via emails which sets deadline October 31 after which ^{(as they said)} "users that failing to activate this feature will prevent them from using their devices securely." In fact, this email has a link that leads to a fishing site, the aim being to get sensitive info from users ^{("which can give scammers access to their cryptocurrency wallets')}.

Those, who still use Ledger wallets, be careful to not fall into this scam.

Thanks OP for this information

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Not everyone who have coins stored in wallets really understand how the wallets work. Some people who have very little education about wallets and how scammers operate will easily fall for these scams. Constant efforts in exposing these scam patterns just like OP has just done is what some people need to remain vigilant.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

I think those phising emails affects very few people, if any. Most users will just ignore them. Those doesn`t even appear in my inbox and go straight to spam.

The point is that sending an e-mail is basically free, and as they already have the data of potential victims, they will just keep sending them. If just one person clicks the bait, they make money....

m2017

legendary

Activity: 1792

Merit: 1296

Playbet.io - Crypto Casino and Sportsbook

Quote from: Charles-Tim on October 16, 2024, 03:47:55 AM

This can be somehow off-topic but it is still worth posting about. That it is better not to use Ledger devices anymore. Ledger Nano is now an online wallet that gives the option for people to save their seed phrase online with third parties. Not worth using anymore and not worth buying.

Of course, the best solution in light of the already formed negative public opinion in crypto community about the Ledger company would be to simply not use the ledger devices. But I believe that such incidents should be voiced in order to inform the community for preventive purposes. As a reminder of phishing, which is one of the most common ways to lose cryptocurrency.

At first glance, Ledger is not involved in the "Ledger Clear Signing", because scammers who send phishing letters are as old as the Internet itself. But there is one nuance, which is that these letters are sent to users of ledger devices on purpose, which is reminiscent of the previous leak of the client base of this company.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Forsyth Jones on October 16, 2024, 01:19:25 PM

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.
~snip~

Why do you think there is a link between the fact that some scammers send such e-mails and the fact that there are still people who do not understand the correct way of using hardware wallets? The database that leaked from Ledger is used constantly, and the fact that someone emphasized this news is nothing specific, because everything always boils down to the same thing.

In addition, every seed generated by some HW is not only important to protect on the device itself in case it falls into the wrong hands or from possible remote attacks, but it should also be properly protected as a backup. The key feature of each HW is that it generates the seed offline in a secure environment, and that every action we perform on the same device must be physically confirmed by pressing a key/button.

Z-tight

legendary

Activity: 1106

Merit: 1124

Wheel of Whales 🐳

Thanks for sharing this. Since they launched the ledger recover feature, scammers decided to deceive naive customers with another so-called security feature called 'clear signing', lol, it is crazy and i seriously hope nobody fell for this bullshit. While it is obvious one shouldn't be using ledger anymore, it should be more obvious to anyone who uses a hardware wallet that this is a scam and that they should not click on the link.

Forsyth Jones

hero member

Activity: 1120

Merit: 540

Duelbits - Play for Free | Win for Real

It's incredible how there are still people who fall for this kind of obvious scam, since the main purpose of every hardware wallet is to keep the mnemonic phrase protected on the device; it should never be entered in any online environment, such as typing on a computer keyboard.

Some people have their first contact with bitcoin and altcoins through these devices and have no basic understanding of how the BIP-39 key derivation scheme works and the consequences, such as total loss of funds after exposing a seed online.

That's why these types of phishing still exist, because unfortunately they are making many victims. I'm afraid that people who have hardware wallets are the easiest to rob.

Quote from: Charles-Tim on October 16, 2024, 03:47:55 AM

This can be somehow off-topic but it is still worth posting about. That it is better not to use Ledger devices anymore. Ledger Nano is now an online wallet that gives the option for people to save their seed phrase online with third parties. Not worth using anymore and not worth buying.

As for your post, it’s really sad that Ledger has gone down this path.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

This can be somehow off-topic but it is still worth posting about. That it is better not to use Ledger devices anymore. Ledger Nano is now an online wallet that gives the option for people to save their seed phrase online with third parties. Not worth using anymore and not worth buying.

satscraper

hero member

Activity: 714

Merit: 1298

This time it is fraudulent "Ledger Clear Signing" chuck which urges customers to activate this feature to make Ledger wallet continuously working. Involved scammers disseminate this mock via emails which sets deadline October 31 after which ^{(as they said)} "users that failing to activate this feature will prevent them from using their devices securely." In fact, this email has a link that leads to a fishing site, the aim being to get sensitive info from users ^{("which can give scammers access to their cryptocurrency wallets')}.

Those, who still use Ledger wallets, be careful to not fall into this scam.

Topic: New wave of scam targets Ledger's customers. (Read 404 times)