Consumers who have purchased Ledger hardware wallets have been waking up to nasty emails claiming that their crypto assets are in danger of being stolen. It is the latest in a long list of phishing attacks designed to lure the uninitiated into divulging their secret phrases or downloading malware.
The first round of spurious emails was asking for the 24-word recovery phrase and Ledger responded with a warning emailed to customers confirming that it would never ask for this.
The second round of emails is a little more insidious as they claim that a data breach on Ledger servers has affected the wallet associated with the target email account. It asks users to download the latest version of Ledger Live, via an email embedded link, and reset their PIN numbers.
It was reported that Ledger did suffer a data breach in July resulting in 9,500 users having their personal information compromised.
Sneaky Social Engineering
On initial glance, the email looks genuine but there are a number of key giveaways that are easy to spot for the trained eye. Firstly, the domain name is not from ledger.com but legder.com
Secondly, hovering over the link in the box (but being careful not to click it) reveals a dodgy URL; http://url9594.legder.com which is likely to result in the downloading of malware which may be able to log keystrokes, steal credentials, or mine cryptocurrency.
Crypto investors and traders have already taken to twitter to share this phishing scam and warn others about it;
*** SCAM ALERT***
I just received this in my inbox. A new phishing scam has been send out claiming there are problems with @Ledger live and a call to action to download “the newest version of Ledger live”.Please share this in order for as many people as possible to see this… pic.twitter.com/xOKUBoKI63
— Young And Investing (@QuintenFrancois) October 25, 2020
Additionally, Ledger itself has published a list confirming knowledge of these phishing attempts and reinforcing the premise that funds are safe providing the recovery phrase is;
Remember, your assets are safe if your 24-word recovery phrase is. We’ve come up with a short list of tips and tricks to help — we know it’s quite Phishy out there. (1/5)
— Ledger (@Ledger) October 26, 2020
The company stated that nobody, including Ledger, should ever ask for the PIN number of recovery phrase, but this latest email was a call to action prompting the clicking of a malicious link.
Risk Mitigation
Hardware wallets, such as those produced by Ledger or Trezor, take an extra step to mitigate these risks. Ledger stated that crypto assets cannot be sent from a Ledger device unless the user physically connects it to the computer and verifies the transaction on both the computer and the device.
If malware is controlling the PC or smartphone, it cannot control the Ledger wallet, even when it is plugged into the computer.