Security Vulnerability: Ledger Nano X and Ledger Nano S

[big_daddy]

I’ve just recived this mail

It’s a scam

Do not open and download anything

[1715131026]

1715131026

[1715131026]

1715131026

[1715131026]

1715131026

[chaoscoinz]

Thanks, it seems like more and more scam emails make their way into my inbox sneaking past my spam filter. I think I recieve crypto related emails due to being naive and siging up for crypro related newsletters.
  I try to unsubscribe but I have a sneaking suspicion by unsubscribing by clicking on the link, I may open myself to further exploiting through phishing.
  That's usually how social engineering goes,  they entice with money or women. .

[Pearls Before Swine]

Thanks for the warning.  I'm just curious as to how these scammers got your e-mail in the first place.  I have a ledger nano s and as far as I can recall I've never given them my e-mail addy or any other identifying information, and that would be because they've never asked me for it.  If I got an e-mail like the one you posted I would know right away it was a phishing attempt, and if it wasn't obvious from that fact I certainly wouldn't expect a link from them to download some tool that sounds like it was developed by scammers. 

That explanation in the e-mail of what they say is wrong sounds like so much technical gobbledygook that I hope nobody falls for it.  There may be some basis for the entropy blah blah blah in how the ledger works, but it just sounds like a phisher trying way too hard to sound legit.

[big_daddy]

I donno where my mail came in their list, I am a Ledger user and also an affiliate, maybe it’s something wrong with their mailing lists
Anyway, fisrt I’ve checked their twitter, reddit, and saw no info regarding that, and so I decided to warn the whole community

[boltz]

It doesn't look like an official mail coming from the Nano ledger team so don't open it. Also you did the best job coming here and make a thread to make everyone aware of this and I hope this will get attention as soon as possible from most of the users. I use ledger too and I haven't receive it so I think your mail somehow got into a list of a database. Can you make a list of the last sign ups you've used with your mail ?  

Don't open it , I want to repeat myself on this. Seems that scammers got a pretty big data base of nano users.

[LeGaulois]

It's spam for sure. The latest email you're supposed to receive from Ledger is about their latest hardware edition. (Get the Ledger Nano X Limited Edition before it’s gone…)

When spammer target people they don't care if you are a customer or not. They try their luck between millions of emails. It's like when you receive an email alert from a bank in which you never got an account...

ofc ignore it.

[Ailmand]

It seems that there had been a lot of scam e-mails lately. Good thing that I don't give too much attention on spam e-mails or even any announcements via e-mail, not download any updates or click links sent via e-mail. Be cautious guys, scammers are finding different ways to earn easy money.

[franky1]

this topic should be named scam warning spoofing ledger emails
that said.
an actual security vulnerability is the fact when you plug in a ledger and you use a webbrowser interface, the interface may not be from ledger but a phishing site with a pretend 'problem with ledger, please re-type in your seed to reset'. whereby your seed then goes to scammers

so be careful if ever asked to type in your seed

[pakhitheboss]

Now you will be receiving more of such spam and scam email as your email address has been now compromised. It is better to always check the senders email address before taking any actions whenever you recieve such emails. Most of the time the senders email will have Yahoo or gmail address. If they send it using the same domain name then it will be spelt incorrectly. Such minute checks can help us.

[abel1337]

Ledger wont ask for your email in the first place, So its basically a spam email that tends user to open that and take advantage on them.

Basically don't open this kind of suspicious emails even it pretend to be a big name.

Hackers tend to do some new methods to make their penetration successful, Its good that OP post it before someone will get scammed from this forum.

[hello_good_sir]

Thanks for the warning.  I'm just curious as to how these scammers got your e-mail in the first place.  I have a ledger nano s and as far as I can recall I've never given them my e-mail addy or any other identifying information, and that would be because they've never asked me for it.  If I got an e-mail like the one you posted I would know right away it was a phishing attempt, and if it wasn't obvious from that fact I certainly wouldn't expect a link from them to download some tool that sounds like it was developed by scammers. 

That explanation in the e-mail of what they say is wrong sounds like so much technical gobbledygook that I hope nobody falls for it.  There may be some basis for the entropy blah blah blah in how the ledger works, but it just sounds like a phisher trying way too hard to sound legit.

Have you seen the service threads out there that offer databases of crypto emails? There used to be bounties that collected email addresses, and they were open for anyone, very easily a bunch of them could have been compiled into a list.

They could have also gotten them from other database breaches, etc.

It just looks like a regular spam email that's actually made pretty well. Did the email hit your spam indox or was it in your primary inbox? What email address is it from? Usually, emails from spoofed addresses that have like a letter different get flagged by your service provider.

[Lucius]

I donno where my mail came in their list, I am a Ledger user and also an affiliate, maybe it’s something wrong with their mailing lists

I am also Ledger user and affiliate, but I did not receive such an email for now, so I doubt there is some leakage of data from Ledger. Any activity that involved giving the email address to which you received this mail is very likely to blame for this.

The only tool that is legitimate to use is Ledger Live software which is taken from the official site, so even though it must be admitted that hackers are very imaginative in this case, for those with some experience, these kinds of things are pretty harmless. What anyone who has received such mail can do is report it as spam, this way, such mail will go directly to the spam folder.

[Pmalek]

@big_daddy
Is that email that you received it on public? Do you take part in bounties with that email and has it been used to signup for airdrops or does it appear in some google form posted by a bounty?

I am asking because Lucius is a Ledger user, I also have a Ledger device, but we didn't receive anything similar. Nowhere during the installation and setup process of a Ledger wallet are you required to enter an email address, unless you sign up to their newsletter, ambassador program etc. 
 

[o_e_l_e_o]

I'm just curious as to how these scammers got your e-mail in the first place.

Because people generally use one email for everything, and give that email out freely without a second thought to their own security. This is particularly a problem in crypto, when users give out their email to exchanges, services, web wallets, slack, discord, telegram, ICOs, airdrops, faucets, bounties, and anyone else who asks for it. The vast majority of ICOs/airdrops/bounties and complete scams, and all of the services I've mentioned have been hacked, and these scammers/hackers have no issue with selling lists of email addresses to anyone who wants them, including other scammers. I own several Ledger devices and haven't received an email like this to any of my email addresses because I pay attention to my own security.

Someone on reddit who received the email uploaded the .exe file to virustotal. Teeming with malware: https://www.virustotal.com/gui/file/ec61d516b476ea8ecd688364a25135a07b3fd5cf4536dc33ea58c1a5ecb8b1f8/detection

Even if the terrible English, poor grammar, and spelling mistakes weren't enough to tip you off, you should never be blindly downloading files or following links sent to you in an email. Period.

[big_daddy]

@big_daddy
Is that email that you received it on public? Do you take part in bounties with that email and has it been used to signup for airdrops or does it appear in some google form posted by a bounty?

I am asking because Lucius is a Ledger user, I also have a Ledger device, but we didn't receive anything similar. Nowhere during the installation and setup process of a Ledger wallet are you required to enter an email address, unless you sign up to their newsletter, ambassador program etc. 
 

Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops

It’s good to know that other Ledger users didn’t recieve this mail cause that can be a proof that nothing inside the Ledger system has been hacked or list leaked

Anyway, I am very suspicious to any mail I get on my private inbox, cause hackers are all around us, and I’m verifing every link before click on it

[jerry0]

Wait, if you open the email, there is no issue right?  Its only if you download or click on something in the email right?  Im close to certain that is the case but why some ppl say don't open the email?


So basically you download this, you got malware/trojan/virus on your laptop right?  What if its an iphone?


But this can't hack your hardware wallet though righ?

[o_e_l_e_o]

Wait, if you open the email, there is no issue right? Its only if you download or click on something in the email right?

Correct.

So basically you download this, you got malware/trojan/virus on your laptop right?

Correct.

What if its an iphone?

If I remember correctly, I'm pretty sure this particular piece of malware was for desktop only. That's not to say you couldn't infect your iPhone with malware attached to an email though, if you downloaded and ran it without thinking.

But this can't hack your hardware wallet though righ?

Also correct. The whole point of a hardware wallet is that it can be used with an infected device without compromising your keys or your coins. The most that malware could do would be to try to generate malicious transactions - as long as you are double checking what shows up on the screen of your hardware wallet, and only confirming transactions which you authorized with the correct address and amount, you are safe.

Having said that, that is based on current knowledge. It is entirely possible that some hardware wallets have a vulnerability which could leave them vulnerable to a malware attack like this that we simply don't know about.

[bob123]

Wait, if you open the email, there is no issue right? Its only if you download or click on something in the email right?

Correct.

This might be the case with this email, but is not always true.

There are ways to infect a device by simply opening an email. Of course this requires some conditions to be fulfilled, but nonetheless it is possible.
The very least you could do is to gather information about the target opening the email (e.g. IP address, browser used, OS, etc..). At least if you are not opening the email in plain text mode.

Oh, and btw.. A few years ago there was a bug in symantecs virus scanner.
It was enough to just receive a malicious email.
Usually the AV checks each incoming mail/attachement in a sandboxed environment. However, there was a bug which allowed an attacker to run code directly with root/administrator privileges on the victims computer.
You wouldn't even need to open the mail, simply receiving it was sufficient.


Usually, opening mails is fine to not get compromised. But it depends a lot on the mail client / browser / whatever you are using to open it.