Ledger users are falling prey to a fake data breach phishing email, and losing digital assets to criminals. According to reports from BleepingComputer, the criminals are impersonating official support addresses to send users fake emails. The emails require users to verify their recovery phrases due to the breach.
The scam was reported on December 15, with the scammers using Amazon’s AWS to mask legitimacy. The phishing emails are used to steal the user’s recovery phrase, giving the scammers total control of the wallet. The campaign has been very fruitful for the scammers due to the reference to the previous 2020 Ledger data breach. During the period, users’ information was exposed, with the company rallying around to contain the issue.
Phishing emails appear to be from Ledger’s official address
According to reports, the emails looked official, following a careful pattern of legitimacy. The email appeared under the header “Security Alert: Data Breach May Expose Your Recovery Phrase” and appears to come from “Ledger [email protected].” However, investigations revealed that the scammers used the SendGrid email marketing platform to send the messages.
Users who click the “Verify My Recovery Phrase” button in the emails are taken through several stages. The first stage is a suspicious Amazon AWS website with the URL: product-ledg.s3.us-west-1.amazonaws.com. After that stage, the users are sent to the phishing website. The phishing website is detailed, checking the seed words entered against all valid components. The real-time validation makes it appear legitimate to users.
The scammers also ensured that users entered their seed phrases multiple times by saying the initial submission was invalid. Other versions of the emails have also been discovered, with a firmware upgrade notification following the pattern of stealing users’ assets. As soon as the user enters a word, the server transmits it to the scammers immediately.
Ledger issues repeated security reminders
Ledger has issued an update concerning the phishing incident, reiterating to users that it will never demand their seed phrases or logins via emails or any other means. Some of its security tips have shown that users can only use recovery phrases when setting up a new wallet or recovering an existing one. In addition, the firm mentioned that the actions are performed on the physical Ledger wallets.
The company also reminded users to always input the URL into the browsers themselves instead of clicking any links. Users were also asked to treat any email from Ledger with caution, especially the ones talking about breaches. In addition, users were advised to store their seed phrases offline and in a secure location. For users who feel their seed phrases are compromised or they have entered them on a website, the company advised immediate movement of all the funds in the wallet.