3 min read

Fake Ledger devices mailed out in attempt to steal from cryptocurrency fans

Graham CLULEY

June 17, 2021

Fake Ledger devices mailed out in attempt to steal from cryptocurrency fans

In December last year, we reported how the email and mailing addresses of some 270,000 Ledger customers had been published on a hacking forum following a data breach.

At the time we warned users of the hardware cryptocurrency wallet to watch out for phishing scams that might attempt to steal users’ credentials.

What we hadn’t predicted was that cybercriminals would use a rather more elaborate way to steal users’ credentials.

As Bleeping Computer reports, some Ledger customers have received fake replacement Ledger devices via the post, alongside a letter that claims it is a replacement hardware wallet that should be used in the wake of the earlier data breach.

In a Reddit post, a Ledger customer shares photographs of the package he received as well as the contents of the letter which purports to come from Ledger’s CEO:

Dear Ledger client, As you know, Ledger was targeted by a cyberattack that led to a data breach in July 2020. We were informed about the dump of the content of a Ledger customer database on Raidforum. We believe this to be the contents of our e-commerce database from June 2020. At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (name, surname, phone number and customer wallet information) that we were able to specifically identify. For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again. We deeply apologize for the inconvenience caused to you due to our faulty security systems. Note: This new device doesn’t work for new setups. You need to follow 6 step installation guide which is inside your box. Once you successfully installed you can start to use your new device.

Accompanying the letter was a shrinkwrapped Ledger box, containing a modified device.

Credit: u/jjrand @ Reddit

Of course, it’s easy to take the packaging for a Ledger Nano X, replace its contents with a fake hardware wallet, and then shrinkwrap it again.

Ledger has confirmed that the device purporting to be a Ledger Nano X inside the box is fake: “A flash drive implant has been connected to the printed circuit board. It contains a file with a fake Ledger Live app. There are enclosed instructions in the Nano box which ask the user to connect the device to their computer, open a drive and run the fake Ledger Live app. To initialize the device, the user is asked to enter his 24 words in the fake Ledger Live app. This is a scam. A Ledger Nano is not a USB device. It does not contain any application to download and install on your computer. The only way to download the Ledger Live app is by using the official download page. Plus, Ledger and Ledger Live will never ask you to share your 24-word recovery phrase.”

In short, if you make the mistake of plugging the device into your computer and running the program contained on the device, you are putting the security of your PC in peril and might be one step away from handing over the keys to any cryptocurrency you might have stashed away.

As attempts to break into cryptocurrency wallets go, it’s certainly more of a parlarver than the typical phishing attack or optimistic malware-laced email, and must take much more time for the attacker. But then, if you’re vying to break into somebody else’s cryptocurrency fortune that may well be time you believe well spent.

The best advice for owners of hardware wallets would seem to be to remain suspicious of all communications related to their devices – whether they be via email, phone, or parcel.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraudsters Impersonate Registered Brokers to Swindle Investors, the FBI Warns Fraudsters Impersonate Registered Brokers to Swindle Investors, the FBI Warns
Alina BÎZGĂ

August 03, 2021

2 min read
Brits Lost Over £2.5 Million in Pet Fraud Since 2020 Brits Lost Over £2.5 Million in Pet Fraud Since 2020
Alina BÎZGĂ

August 02, 2021

2 min read
Threat Actors Impersonate Standard Chartered Bank To Spread FormBook Malware Threat Actors Impersonate Standard Chartered Bank To Spread FormBook Malware
Alina BÎZGĂ

July 28, 2021

2 min read