Ledger clients whose data was stolen in a breach were targeted in a phishing scam this past week. Below, our expert team at Kraken Security Labs has put together an analysis of the ongoing attack against Ledger clients.

This instructive case study could prove useful to all crypto holders.

Since phishing continues to be one of the main methods used by hackers and scammers to steal crypto, we believe that better awareness of phishing methods is vital in the crypto community.

Note that this phishing attack is unrelated to any flaws in the Ledger wallet or its firmware. As a form of social engineering, phishing attacks cannot be avoided through technology alone – education and awareness is key.

Phish Emails and Texts

Many Ledger owners received emails or text messages similar to the one below, asking them to download a new version of their Ledger software.

The criminals are likely using the contact information of the 9,500 customers involved in the June 2020 Ledger breach. Most, if not all, of the emails came from the attacker-controlled [email protected] address.

Cloned Website

Should a victim click the link in the email, they will be redirected to a fake, cloned copy of the Ledger site.

The attackers are using a number of redirects and misspelled pages to trick the victim and to rotate pages as they were detected.

Victims are eventually sent to a download page with links to malicious versions of the Ledger Live desktop application. In the screenshot below, notice that the attackers are using the misspelled leGDer.com domain.

Malware

The downloaded malware will appear very similar to the legitimate Ledger Live application, except that the application will ask the victim for their recovery phrase and then steal it.

After the victim enters their recovery phrase, the malware sends the recovery phrase to the attacker at loldevs.com.

With the recovery phrase, the attacker can recover the victim’s wallet and then send those funds to one of the attacker’s wallets.

Response

The Ledger team and others reported these domains and, within 48 hours, many of them were disabled or are now redirecting to legitimate Ledger services, temporarily nullifying this attack. 

However, it appears attackers continue to switch URLs to maintain the campaign. 

Protect Yourself

These are standard social engineering and malware techniques, so the normal security hygiene tips apply:

• Be wary of links and be cautious when asked to install software.

• Carefully review suspicious emails or texts.

• Never type your recovery words into anything.

• Maintain your browser and keep it updated with the latest patches.

• Be mindful of surprises, tune into the sense of urgency and watch out for the hook. Attackers prey on a sense of urgency, so you can avoid many attacks by just waiting a few days.

• Never visit a site that is using punycode, which is used almost exclusively by attackers. In this campaign, the attacker used xn--ledgr-9za.com, which the browser will automatically translate to display accent characters, which trick the victim. 

  

• To verify if a site is using punycode, Punycoder.com is a tool to verify look-a-like characters.
  

If you were targeted in this campaign or have ever purchased a Ledger, you need to be extra careful as you should expect to continue to be targeted in crypto-related scams.

For more updates from Kraken Security Labs, be sure to bookmark our official blog.