Fake Ledger data breach emails used to trick victims into giving up recovery phrases
- New phishing email scam impersonating Ledger spotted
- The emails claim the user’s Ledger wallet seed phrase was compromised, and asks for confirmation
- Users that provide the seed phrase lose all their money
Criminals are trying to steal cryptocurrency by impersonating hardware wallet firm Ledger and sending phishing emails.
Victims have reported receiving emails pretending to be from Ledger, and claiming that their seed phrase (also known as recovery phrase, or mnemonic seed) is compromised. To protect their digital belongings, the victims are invited to “verify the security” of the recovery phrase through the “secure verification tool”.
The email comes with a “Verify my recovery phrase” button which leads people through an AWS website, to a domain “ledger-recovery[.]info”. There, users can enter their recovery phrase, which is then saved on a server and relayed to the attackers.
Providing the right data
A recovery phrase is used to load the contents of a cryptocurrency wallet into a new device, or new software wallet. It usually comes as a series or either 12, or 24 random words. Whoever has access to this phrase, also has access to the funds, so it is absolutely pivotal that these remain offline, hidden, and not shared with anyone.
To make sure they’re getting the real deal, the scammers added several safeguards to the phishing page. The site is limited to 2048 valid words that can be entered as part of the mnemonic seed phrase. Furthermore, whatever the user enters, they will get the response that the seed phrase is wrong – most likely to allow the victims to double down on their entries and thus confirm they have provided the right information.
Phishing emails often used to have poor grammar and spelling and could typically be identified by clumsy, amateurish wording. However, with the introduction of generative AI, that is no longer the case. In this case, though, the clue was in the email address, since it came from the SendGrid email marketing platform. Furthermore, the link redirects through an Amazon AWS website, which should also be a red flag.
It is impossible to know how many people (if any) fell for the trick, but those that did lost their money permanently.
Via BleepingComputer