{Warning}: Ledger Phishing Attempt and Clone Website

[Baofeng]

As per their tweet:

https://twitter.com/Ledger/status/1173632200715177985



Official: https://support.ledger.com/hc/en-us/articles/360035343054-Warning-Beware-of-phishing-attempts

Code:

PHISHING SITE: http://ledgertoolkit . com/
PHISHING SITE: https://secure-ledger . com/

We have one member who already fall victim from this trick. All BTC lost during "Cold Storage" > "Masterseed"

Just be careful specially newbies!!!

[DdmrDdmr]

<…>

Why anybody would use a link provided on social media to (try to) manage their Ledger device beats me. I figure that, in the heat of the moment, someone may have some sort of panic attack for some issue or other, and then go for whatever “help” they can get. The case listed in the OP seems of that nature, and the person implied ended-up rushing to a fake Ledger-of-a-kind site.

It’s pretty obvious that the first rule to access your Ledger device should be using the official software/site, and not any link provided on social media. It’s better to take a step back and think first, understanding that there are plenty of wolves hidden under sheep skin in the world (and even more so on a faceless-shameless environment).

[o_e_l_e_o]

Fake and phishing sites will always exist. Warning people about each one as and when they pop up is useful, but it doesn't address the underlying issue: Why are people so careless?

It's a fairly basic security practice to not follow random links that show up on Google or social media, and it's very basic to know not to enter personal details in to such websites. Pretty much every website to do with wallets tells you not to enter your seed phrase anywhere. The Ledger website says it. The paperwork which comes with the Ledger says it. Ledger Live says it when you first initialize your wallet. And yet people keep falling for nonsense like this.

When it comes to storing money, at least take the time to read and understand the basic instructions to protect yourself from making simple but costly mistakes like this one.

[CryptopreneurBrainboss]

I do understand security should be a personal business but that doesn't mean the advertisment big houses should show less concerned towards the safety of its users. What stop Google from reviewing every ad to reject potential harmful ones before they approved them for display.

Browsing through sites you will encountered hundreds of ad usually associate with Google AdSense which could be dangerous to devices or wallets. Somehow I feel this ad platforms are not doing enough to protect its users. If they were doing enough couple with the extra personal security measure from her users, we would had been recordings less number (or probably no number) of victims falling prey to this scams. Anyways good job OP creating this awareness.

[dkbit98]

I posted this info on Scam Accusations with more details
https://bitcointalk.org/index.php?topic=5185228.0

Also reported to Metamask and google/symantec

[Lucius]

Nothing new, users of hardware wallets are always targets of such attacks because this might be the easiest way to get all coins from the wallet which is very well protected from almost everything, except for the human stupidity associated with ignorance.

More then a month someone starts posting a link on Reddit with the fake tool to check seed words, and this attack is still in progress. Seed words should be only typed on the hardware device, and only in case it is necessary to get private keys for some reason, we can use tool from iancoleman on clean PC in offline mode. After that, we should consider that seed compromised.

[bitmover]

It is amazing how people are willing to buy BTC, invest in a hardware wallet and never read anything about Bitcoin security and how it works.

How someone just go and type their seed in a random website?

when I bought my first BTC I read lots of different tutorials and Reddit/bitcointalk posts To be sure I wasn't doing anything wrong...

Maybe hardware Wallets should come with some basic instructions. I don't remember but I think my ledger came with some basic intructions like "don't share your seed with anyone"
But a better warning like " never type your seed in a computer" would be better.

[o_e_l_e_o]

Maybe hardware Wallets should come with some basic instructions. I don't remember but I think my ledger came with some basic intructions like "don't share your seed with anyone"
But a better warning like " never type your seed in a computer" would be better.

Every Ledger device comes with a "Recovery sheet" for users to record their 24 words on. There are various versions, but all contain something along the following lines:
"These informations are uniquely linked to your wallet and you should be the only one to have access to them."
"Confidential 24 word recovery phrase"
"Store your recovery sheet in a secure place"
"Confidential - do not disclose"

Both the Ledger website set up guide and the Ledger Nano instruction manual state:
"Never ever share your 24-word recovery phrase, in any form, with anyone."
"Never enter your recovery phrase on any device other than your hardware wallet."
"Never take a picture of the 24-word recovery phrase."

In addition, when you initialize your device with Ledger Live, you get the following warnings:
"Carefully secure your 24-word recovery phrase out of sight."
"Make sure you are the sole holder of your recovery phrase."

The warning not to share your seed is on the paperwork that comes with the device, displayed on screen when you use it for the first time, in the instruction manual, and on their website. I'm not sure there is anywhere else they could possibly put it other than inscribing it on the device itself. If people still choose to ignore these instructions and enter their seed on random websites, then the fault lies with them, not with Ledger.

[bob123]

How someone just go and type their seed in a random website?

The problem is that people hear that a hardware wallet is extremely secure. So they go and buy one feeling too comfortable and secured.

And once they encounter a problem, they (again) listen to anyone proposing a solution.
Especially in such a situation where you think you might have lost all of your money, there is a lot of stress and adrenaline. You might not think about everything as detailed and usually.. and follow simple advices in the hope to recover your money. Even if this requires you to enter your mnemonic code into a website which looks legit.

But of course.. if someone really learns a lot about how to secure BTC, this person won't give away his mnemonic code.. ever.
Especially newbies are not aware of the importance of the mnemonic code. Explanatory work would be the only thing which would really help.

[bitmover]

The problem is that people hear that a hardware wallet is extremely secure. So they go and buy one feeling too comfortable and secured.

And once they encounter a problem, they (again) listen to anyone proposing a solution.
Especially in such a situation where you think you might have lost all of your money, there is a lot of stress and adrenaline. You might not think about everything as detailed and usually.. and follow simple advices in the hope to recover your money. Even if this requires you to enter your mnemonic code into a website which looks legit.

But of course.. if someone really learns a lot about how to secure BTC, this person won't give away his mnemonic code.. ever.
Especially newbies are not aware of the importance of the mnemonic code. Explanatory work would be the only thing which would really help.

Yes, this is what happens

Some users do not try to understand that the secure lies on "seed never leaves the device". And they go and paste seed in Gmail Drafts, phsiing websites....

It is amazing how people create advanced devices with high security technology, to keep the seed in the device, in a way it cannot be discovered even if you plug the device in an infected computer... and someone goes and type the seed.

....then the fault lies with them, not with Ledger.

Of course, you are correct.

(I thought you were@LoyceV. Now we will have 3 twins here)

[Lucius]

As far as I know, Ledger is using English language on their site, and I do not see any other language to select. It's no secret that a good portion of users has a very poor understanding of English, so they are not even aware of these warnings. How else to explain completely illogical actions by some users, but as a result of misunderstandings arising from language barriers.

It would be very helpful if hardware wallets manufacturers send some basic instruction at least in several of the world's most important languages.

[DdmrDdmr]

<…>

I complete agree. They should consider making their web page language selectable. They should be able to see the countries they get their traffic and sales from, so it should be pretty easy to establish the necessary languages to add.

The official reseller for my country is Amazon (really Ledger through Amazon's logistics), and there they logically have the info in the local language, but that is not really enough. Nevertheless, warnings, latest news, technical guides and even Ledger Live are all in English, which is still a problem for proper comprehension for many.

[gentlemand]

As far as I know, Ledger is using English language on their site, and I do not see any other language to select.

I did not know this. Considering how much money their products control I find this unforgivable.

Much more importantly Ledger Live is still English only too. No one should have to be second guessing the setting they're about to change. It's not exactly Dr. Zhivago so paying for the correct translation of the modest bunch of sentences involved should not be breaking the bank.

I wonder how many here would be willing to use a Japanese or Greek language only hardware wallet.

[Lucius]

DdmrDdmr&gentlemand, we all know what a problem some users of this forum have with English language, so imagine if all instruction is on that language.  This can be maybe solved by using some translate tool (Google Translate), but it would be much better that two main hardware manufacturers make a multilingual website. I check Trezor site also, only English is available.

In addition to English, translation into Spanish, French, Russian would cover a good part of the world since most of Central and South American countries use Spanish (except Brazil), and French is still used in some of the former French colonies (Africa).