Topic: Watch out for Fake Trezor Suite! (Read 253 times)

One thing is sure. If that breach happened on 26 March, MailChimp has not mentioned it publicly on their Twitter feed. But to be fair, we don't know what has been communicated to their clients. Their clients are Trezor and over 300 other companies. Trezor has already stated that MailChimp admitted there was a breach and an inside job. Therefore, they have revealed the problem to the affected companies, but not to the general public.

Yes i was also astonished to see that another employee id was used in hacking the data of the customers and this time the target is big corporates who must be having million of users but the fact is they won't disclose it easily to the public in order to maintain their reputation in the market and profitability could be affected.

There was past vulnerability in Trezor wallet through which one youtuber was able to hack it and get $2 million also which i remembered and he said the PIN and key were copied and moved to RAM which he used as hacking techniques.But after it was viped out.

These companies depending on the third party softwares are already going into full risk of data breach anytime the company is hacked like this one or employee selling the information to some hackers for money.Using these services always have a risk and the main problem is people's fund are at stake.

More common things in these attacks are they are performing slowly to tackle the situation as in this case they have known this one on 26^th March that some bad actor was gaining access to the software they should have taken instant actions to detect the fraud sending notice to all their clients to be safe and issue warning.Recently Ronin network was hacked for $625 million and they were unaware about it for 5 days until one person tries to withdraw 5k ETH so what security levels they all are having? Seriously these phising attacks are increasing like the first one for Ledger and now Trezor.


This attack was more of well executed phising attack as they got access to the API and then mailing list directly without accessing the MailChimps customer portal.

There will be many more with such amounts and this hack might be big until we have the real amounts disclosed but don't think it will be public.Have also seen many people on twitter complaining about the Trezor hack so don't know how many have lost funds.

Self awareness is necessary to be safe from these scams and you need to be educated and technically updated also.Like you said about credit cards then people know that they don't need to share their PIN or CCV number on the back with anyone but have seen many people still falling for fake calls asking for details as your bank account is linked to mobile.Or they fill out it on some fake websites which is why they loose funds.Same is the need here with your seeds but it should have proper back-up offline without sharing it with anyone.Your cards lost can be blocked and issued new one's but there's no such thing with seeds so be sure not to loose them.

Actually i would say that hackers are trying new methods in these types of hacks that most newbies and even old users have no idea about the hacks like in this one.They have also the phishing warning on the top of page to make it look legit :



But there were many fake things like domain name, signing not with Satoshi labs and enter your seeds and then they must have used keylogger as discussed above to do this scam.So you see how well they are managing these scams to make you fool.But it must be kept in mind that you don't need to give your seeds or fill out them anywhere until you investigate the matter in detail.The hackers take one step but the main security is compromised on our end by giving them access to wallets or seeds.This needs to be spread awareness among mass to tackle these scams.

I wish there was a perfect way to make everyone understand seed phrases should be taken care of as much as you would take care of a credit card.  You do not give the credentials to a stranger who is asking you for it.  You do not put these things into a random website or software.  This should be the FIRST thing a Cryptocurrency newbie has to learn and be continuously reminded of.

This is the worst part of these recent scams.  I mean even the YouTube and Twitter ones.  You do not even have to steal money from someone by yourself.  The victims are literally giving them access to their own coins or are sending the coins by themselves, using their own hands.  Only thing that is able to fix this problem is education and some minimum level of paranoia we all should have.  You just NEVER give your seed up to a software, you NEVER type your Hardware Wallet seed through anything except the Hardware Wallet itself.  Be cautious, for God sake!

-
Regards,
PrivacyG

Let’s see if there are reports on the keylogger (and RAT) are confirmed, which would make it quite a sophisticated phishing+malware combo attack. I’d have expected BleepingComputer to have detected it by now, as they are normally quite thorough in their tests.

Meantime, we’ve got some alleged cases of victims. This one claims having lost 55K quids to the phishing:
https://www.reddit.com/r/Bitcoin/comments/tvhu4n/i_fell_victim_to_the_trezor_phishing_scam/

Note: Ledger -> Trezor

When I say hack you say Ledger. HACK - LEDGER, HACK - LEDGER. Sorry, I had to do it. However, this time Trezor users got affected, not Ledger (yet).

Judging by this reddit post, there are reports of a Snake keylogger being part of the package. I assume the AVs are still not picking it up, and time is needed before it gets recognized and flagged as malware. 

Unfortunately, none of that matters if customer data can be obtained from a server somewhere, and it can. We have now witnessed how both open-source and closed-source hardware wallets were owned. The positive thing is that Passport claims they use in-house servers for customer data. However, that's still a centralized attack vector that could be abused.

This seems to bear a lot of resemblance to the HubSpot hack I posted about a couple of weeks ago here: Another day, another data leak - more phishing likely

Access gained through an employee's account, gaining access to a large number of corporate accounts, focusing on crypto related businesses and clients, mass phishing emails rapidly following the breach. I wonder if the two are related through more than just timing?

Regardless, it gives a clear picture of what centralized services are doing with your data - handing it off to a bunch of third parties and doing no due diligence whatsoever in to those third parties' security. You can expect this kind of behavior from sketchy entities like BlockFi, but you expect better from hardware wallet manufacturers.

According to claims made by TechCrunch, MailChimp’s Chief Information Security Officer has stated that:

-   MailChimp was aware of the intrusion since March 26th.

-   Hackers social engineered their way to gaining access to the system through employees credentials.

-   Hackers gained access to roughly 300 MailChimp accounts (i.e. corporate customers, being Trezor just one …).

-   Hackers targeted crypto and financial entities.

-   Hackers downloaded data, but worse still, gained access to APIs, potentially enabling hackers to impersonate the sender from their own account on the platform (now disabled).


The above is derived from what is published in the first link below. The second link specifies in addition that:

-   The total number of accessed Mailchimp accounts is specifically 319, but data was exported from only a subset of 102.


As a result, if the above is so, there are at least 102 corporations that need to comunicate with their lead/prospect/customer ...

See:
https://techcrunch.com/2022/04/04/mailchimp-internal-tool-breach/
https://therecord.media/hacker-accessed-319-crypto-and-finance-related-mailchimp-accounts-company-said/

It does indeed, and the timing seems too close for it to be a coincidence. Likely, these hackers know how to weave their way into corporations through social engineering, and the jackpot is bigger if they get away with multiple accounts (corporations) by just opening one door.

I don't know any other crypto companies that work with Mailchimp but I am sure there are more of them going to be exposed in next few days, biggest concern is with exchanges and hardware wallets.
Best solution I found is by using alias email addresses or some email relays, that keeps everything separated and I can always terminate any address that gets exposed.

I like Passport hardware wallet more and more every day!
First they are still using open source code that coldcard ditched for common clause, and they are improving their air-gapped device all the time.
I think they are doing it the right way, using everything that is good from other HW manufacturers and improving what's not good.

It's much less chance of rouge Passport worker exposing something, compared to big companies like Mailchimp that has that same rouge worker problem, and they are attacked all the time by hackers.
You don't have to count on any of them to protect your data, use alternative emails, fake names, PO Boxes, and other techniques to improve your privacy and security.
There are ways to better protect yourself if you want, and if you don't want.... well get ready for trouble in future.

Good catch!
I downloaded that file and virus total scanned it as clean, but I forgot to check signature... rookie mistake.
Note that I never wanted to install this crap, all I was doing was testing to see if this file was malware or not.

Hosting the data to any third party is easily prone to hacks or we could say they often involve themselves into selling of this information so we can't trust these services but as you see in this case Trezor outsourced this service to MailChimp and they were targeted by insider crypto trading company.We have witnessing similar cases most often now a days where these centralised service providers will come with that their servers were hacked or employee id was compromised resulting in the data breaches.Like recently we have seen HubSpot phising attack resulting in customers getting similar mails.

But the point is the hackers can't even access your funds if you are aware and keen observer of these fake links like in this one dot after e and com which was the fake trezor suite.Moreover the original one won't ask for your keys but if you have downloaded the wrong one it's your mistake on your end as these third party or centralised services can't be fully trusted.

Yeah they have already spotted the difference by which this fake app attempted to scam the people as the legit one is linked to Satoshi labs as you can see in this image:



It's hard for people to spot the difference if they are unaware about these minor details and then proceed on to next step of entering your seed phrases which you are unintentionally giving to the hackers who will have access to your funds then.

The Trezor app is working with the cyber cell to investigate the matter and has said they are not communicating with any newsletter until the situation is cleared and don't respond to the any of them while they have brought down some of the scam domains:



Although the data is still not cleared and it might not be shown in exact numbers but still we can presume many have fall prey for this phising scam attempt and lost funds which can be taken as idea from this tweet:




People needs to bookmark the official pages and atleast once do proper investigation after they received certain mails before jumping into conclusions and downloading the malicious apps which are scam attempts to hack their seeds and funds.So those who have not download it be safe.

BleepingComputer has described the procure behind the phishing attempt. Besides what we already know about the email being sent to Ledger Trezor Newsletter recipients, when you proceed to download the app ("Get desktop app") from the link on the fake site one is directed to, the following happens:

- A file called  "Trezor-Suite-22.4.0-win-x64.exe" is downloaded. The file is signed by "Neodym Oy" instead of the usual "Satoshi Labs, s.r.o." signature.

- The file contains a modified Trezor Suite app, that semms to look identical to the original.

- And as expected, … as soon as you connect the Trezor device to the app, you’ll be asked to type-in your 12/24 word seed, sending the data over to the hackers.

No lateral additional malware has yet been reported as a side-effect of installing the fake app (i.e. keylogger).

Whether they outsource their marketing needs to some third party company or host the email servers themselves, there is always a centralized aspect of things and that can be attacked. There will always be people who operate and maintain these servers or do other work in their vicinity. The chances of someone turning bad are equally the same if they work for Trezor (in this case) or a third party who offers certain services. An angry or dissatisfied employee or more of them is all that is needed to cause havoc. We have seen it with Shopify and now with MailChimp.

It's always good to know that in the mist of hardware wallet providers we can find some[1] that decide to take a different route regarding outsourcing these kind of works:



However, playing the devil's advocate role for a moment, self-hosted solutions still rely on the trust that the company puts on their employers - What protects companies from rogue employers attacks/leaks? Considering that MailChimp already confirmed that this was an inside job[2], we just have to assume that every company is prone to suffer an attack like this in the long run. Will we ever have a 100 % fail proof system that will still be able to be self-hosted by the company but at the same time protected against inside jobs?

---

[1]https://nitter.net/zachherbert/status/1510634779976290315?cxt=HHwWlsCy3YSV7fYpAAAA
[2]https://nitter.net/Trezor/status/1510558771944333312

One important additional thing to be wary of here, as noted on this thread, is the fact that Trezor claims that MailChimp’s service was compromised, deliberately targeting crypto companies. That means that targeting Trezor customers are just one of the potential attack sets, but other crypto company customers could just as well be targeted with a custom email in the coming days.

Trezor customers are likely one of their highest rating potential targets. It will be important to see the modus operandi behind the downloadable app. I’ve read someone warn that it ends-up asking for the seed  (setting a new pin is a just part of the excuse to ge you there), but I’d like to see that confirmed from multiple sources before making the claim good. Additionally, we’d need to be sure that there are no lateral malware elements installed that go under the radar.

I’ve also seen a sparse reference pointing to the email grabbing IPs through an embedded image tacker.

Same as usual, not just from Trezor only there are other mails from trust wallet, blockchain wallet, ledger and so on, I have used my email for many airdrops and form filling online I guess that's why these scammers are able to target my email address.

Open your eyes scammers aren't playing around, they take their job way very serious its why it's painful to see people losing money to them, we need to be strict with any crypto-related decision making, think twice and do as twice investigations before making that decision.

I could be wrong but I don't think it's the case. I started receiving this type of email from all kinds of services (Coinbase, Trustwallet, MetaMask, etc.) since Coinmarketcap's email addresses leak back in October[1] so it's possible that the scammers simply decided to target more wallet providers.

[1] https://www.coindesk.com/business/2021/10/25/over-3-million-coinmarketcap-email-addresses-leaked-to-dark-web/

Welcome to the club
I don't know if some emails got leaked from Trezor or not, but I would never associate any normal email address with hardware wallet (better use temporary or dedicated address).
This is official tweet from Trezor, looks like it's possible that MailChimp got hacked and they are partners of Trezor used for newsletters.

I have this punycode reveal enabled by default in my Librewolf browser (great firefox fork), but interesting thing I noticed is that I am now getting redirected to official Trezor website.
Maybe scammers are intentionally doing this or they are changing domain address to something new, because I saw a bunch of similar punycode domains selling cheap for €1 or even less!


https://be.godaddy.com/domainsearch/find?domainToCheck=suite.tr%E1%BA%B9zor.com

---

Latest update:

https://twitter.com/Trezor/status/1510558771944333312

On Firefox, Tor, and other Firefox forks:

• Open a new tab
• Type "about:config" (without quotations) in to the address bar and hit enter
• Accept the warning if you get one
• Search for "network.IDN_show_punycode" (without quotations) and toggle it from false to true

This will protect you from such homograph attacks, but obviously does nothing to protect you from just visiting the wrong site. You should never be clicking on links from emails or using search engines to find import sites - bookmark the real site and only visit via the bookmark or manually entering the correct URL.

I got a couple of emails this morning as well from:


And of the email was redirecting me to:


Only one of these domains is using Whois guard, but I'm guessing the credentials are fake.

Today I noticed new fake website and phishing application for Trezor Suite with new domain registered few days ago using punycodes to look like real Trezor domain.
Website looks almost identical to original Trezor Suite website but if you look carefully you will notice letter ẹ is used instead of regular letter e.
They are using second domain for fake web wallet, and based on domain search I found out that IP address is coming from Russian Federation with IP address 95.142.46.115.
All domains are registered in 2022 and I even went so far that I downloaded their fake exe wallet file, and virustotal showed no malicious files, but I don't recommend anyone to download or install this.


Archive:
https://archive.is/WW2C6
https://archive.ph/R0HaT






https://urlscan.io/result/ff765b01-3306-4c94-a76e-5254f43e4d1d/

File Trezor-Suite-22.4.0-win-x64.exe downloaded from fake wallet
https://www.virustotal.com/gui/file/bfb45d952f8849153e41475adaf57ac886ffd794991c1c39339ff97e5fd2129a

If you receive any email claiming that Trezor experienced some and that you are affected by the breach, know that this is a scam.
Here is one example of phishing email they are sending from [email protected] email via mailjet service:

---

Always double check address bar in your browser, bookmark important websites you use, and NEVER enter your seed phrase words on any website.