A compromised Trezor hardware wallet mailing list was used to send fake data breach notifications to steal cryptocurrency wallets and the assets stored in them.
Trezor is a hardware cryptocurrency wallet that allows you to store your crypto assets offline, rather than using cloud-based wallets or wallets stored on your PC that are more vulnerable to theft.
When setting up a new Trezor, a recovery seed of 12 to 24 words is displayed that allows owners to recover their wallets if their device is stolen or lost.
However, anyone who knows this recovery seed can access the wallet and the stored cryptocurrencies, making it vital to store the recovery seed in a safe place.
As of today, owners of Trezor hardware wallets began receiving data breach notifications asking recipients to download fake Trezor Suite software that would steal their recovery seeds.
Trezor confirmed on Twitter that these emails were a phishing attack sent through one of their opt-in newsletters hosted at MailChimp.
Trezor later said MailChimp has reportedly confirmed that their service has been compromised by an “insider” targeting cryptocurrency companies.
BleepingComputer has contacted MailChimp to learn more about this compromise, but has not received a response at this time.
A Deeper Look at the Trezor Attack
The phishing attack started when the owners of the Trezor hardware wallet received fake security incident emails claiming to be a data breach notification.
“We are sorry to inform you that Trezor experienced a security incident involving data from 106,856 of our customers, and the wallet associated with your email address [email here] falls within those affected by the breach,” reads fake Trezor phishing email about data breaches.
False data breach report from Trez
These fake data breach emails say the company does not know the extent of the breach and owners should download the latest Trezor Suite to set up a new PIN on their hardware wallet.
The email contains a “Download latest version” button that takes the recipient to a phishing site that appears in the browser as suite.trezor.com.
However, the website is a domain name with Punycode characters that allows the attackers to impersonate the trezor.com domain with accents or Cyrillic characters, where the actual domain name is suite.xn--trzor-o51b.[.]com.
It should be noted that the legit Trezor website is trezor.io.
This fake site asks users to download Trezor Suite application as shown below.
Phishing Site Pushing Fake Trez Suite
In addition to the suite.xn--trzor-o51b[.]com website, the threat actors have also created phishing sites on the URLs:
http://trezorwallet[.]org/trezor[.]us http://suite.trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad[.]ui/ (Tor site)
When a visitor downloads the desktop app, they will download a fake Trezor Suite application from the phishing site called ‘Trezor-Suite-22.4.0-win-x64.exe’.
As you can see below, the legitimate Trezor Suite application is signed with a certificate for “Satoshi Labs, sro” and the fake Windows version [VirusTotal] is signed by a certificate from “Neodym Oy” (right).
Comparison of digital signatures for fake and legitimate Trezor Suite downloads
Since the Trezor Suite is open source, the threat actors downloaded the source code and created their own custom app that looks identical to the original, legitimate application.
Ironically, this bogus suite even includes Trezor’s warning banner about phishing attacks at the top of the application’s screen.
Fake Trezor Suite software
However, once Trezor owners connect their device to the fake Trezor Suite app, it will prompt them to enter their 12 to 24 word recovery phrase, which will be sent back to the threat actors.
Now that the threat actors have your recovery phrase, they can use it to import the recovery phrase into their own wallet and steal victims’ cryptocurrency assets.
An almost identical attack targeting Ledger hardware crypto wallet owners desire phishing attacks leading to fake Ledger Live software.
What should Trezor owners do?
First of all, never enter your recovery seed into any app or website. The seed should only be entered directly on the Trezor device you are trying to restore.
Since it is easy to create similar domains that impersonate legitimate sites, when it comes to cryptocurrency and financial assets, always type the domain you are trying to reach into your browser instead of relying on links in emails.
This way, you know you’re going to the legit site rather than a site that mimics it.
In addition, Trezor’s official website is at trezor.io, so other domains, such as trezor.com, are not related to the crypto hardware wallet company.
Finally, ignore any emails claiming to be from Trezor stating that you have been affected by a recent data breach. If you have any concerns, instead of clicking the link in these emails, you can contact Trezor directly for more information.
This post Fake Trezor Emails About Data Breach Used To Steal Cryptocurrency Wallets
was original published at “https://www.bleepingcomputer.com/news/security/fake-trezor-data-breach-emails-used-to-steal-cryptocurrency-wallets/”