Kraken, an established US-based cryptocurrency exchange, recently confirmed that Ledger clients whose data was stolen during a security breach have been targeted in a phishing scam that was carried out this past week.
The team of experts at Kraken Security Labs have provided an analysis of the ongoing attack against Ledger (a leading crypto hardware wallet) clients.
Kraken claims that its instructive case study may be useful to all crypto-asset traders and investors.
The Kraken team notes in a blog post that phishing continues to be one of the main methods used by cybercriminals to steal digital currencies. They believe that increased awareness of the different phishing methods is “vital” in the crypto and blockchain community.
Kraken Security Labs clarifies that this particular phishing attack involving Ledger is not related to any technical flaws in the Ledger hardware wallet or its firmware. The security team explains that “as a form of social engineering, phishing attacks cannot be avoided through technology alone – education and awareness is key.”
The Kraken team confirmed that many Ledger wallet owners have received emails or text messages that have asked them to download the latest version of their Ledger software.
These cybercriminals are mostly likely using the contact information of the 9,500 customers that were targeted during the June 2020 Ledger breach, Kraken’s security team noted. They also confirmed that most (or all) of these emails came from the “attacker-controlled” info@ledgersupport.io address.
The Kraken team further noted:
“Should a victim click the link in the email, they will be redirected to a fake, cloned copy of the Ledger site. The attackers are using a number of redirects and misspelled pages to trick the victim and to rotate pages as they were detected. Victims are eventually sent to a download page with links to malicious versions of the Ledger Live desktop application.”
The exchange’s security team warned that the downloaded malware will look really similar to the legitimate or actual Ledger Live application. However, the application will also ask the victim for their SEED recovery phrase (which should never be shared with anyone under any circumstances). Once the unsuspecting victim has shared their key phrase with the scammers, they’re able to quickly steal all of the users’ cryptocurrency.
As explained by Kraken, the hackers use the following process to retrieve SEED phrases from their targets:
“After the victim enters their recovery phrase, the malware sends the recovery phrase to the attacker at loldevs.com. With the recovery phrase, the attacker can recover the victim’s wallet and then send those funds to one of the attacker’s wallets.”
The Ledger team and other crypto-related organizations have reported certain suspicious domain names. Kraken confirmed that, within 48 hours, most of these domains had been disabled or are now redirecting users to the legitimate Ledger services, “temporarily nullifying this attack.”
The Kraken team notes that we must always be wary of website links and be very careful when asked to install any type of new software.
They also shared the following safety and security tips:
- Carefully review suspicious emails or texts.
- Never type your recovery words into anything.
- Maintain your browser and keep it updated with the latest patches.
Kraken Security Labs further cautioned users:
“Be mindful of surprises, tune into the sense of urgency and watch out for the hook. Attackers prey on a sense of urgency, so you can avoid many attacks by just waiting a few days.”
(Note: for more information about phishing attacks and other ways to protect yourself from cybercriminals, check here.)