❗ Warning - Ledger phishing emails and SMS ❗

[notblox1]

Please watch out for newest Ledger wallet phishing email from fake Ledger support, asking you to download and update.
Fake email used: info@ledgersupport.io

real ledger email: noreply@ledger.com

They probably used all emails they got from hack they had few months ago, and they sent them to everyone from their list.

Don't download or install anything!

They used website with letter ė with dot above:


https://i.imgur.com/7bBrVE1.png

Code:

https://ledgėr.com/
https://www.xn--ledgr-9za.com/

Domain name: xn--ledgr-9za.com
Registry Domain ID: 2567440131_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2020-10-22T03:48:00.00Z
Registrar Registration Expiration Date: 2021-10-22T03:48:00.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: email@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC

[1715091635]

1715091635

[1715091635]

1715091635

[1715091635]

1715091635

[jackg]

Ledger's website had its emails hacked? That doesn't sound very promising for what is essentially a cybersec firm...

It's disapointing I can't see. To use that email address to find anything related to the scam... (it's easy to just copy and paste when you get a suspicious email then).

[notblox1]

Ledger's website had its emails hacked? That doesn't sound very promising for what is essentially a cybersec firm...

It's disapointing I can't see. To use that email address to find anything related to the scam... (it's easy to just copy and paste when you get a suspicious email then).

Yes they had some July 2020 e-commerce and marketing data breach.
I can't be sure this is related with latest phishing, but else is everyone getting this emails.
Here is their explanation from July:
https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach

[DdmrDdmr]

More than likely that the phishing campaigns is directly related to the data breach (perhaps not limited to). There’s a person on Reddit that claims he received it on an email that he created specifically for dealing with Ledger (purchase presumably: https://www.reddit.com/r/ledgerwallet/comments/jhrp95/is_this_mail_from_ledger_o_is_this_fishing/).

As people are commenting over the internet, the emails is well redacted, and is one of those that are not trivial to spot looking at neither the domain nor the grammar. The claim has a feasibility ring to it in the context of the breach, although one needs to be always wary and never download anything from an email, but rather always visit the original site (and not from a link on the email, if present).

I’m trying to find a report on the malware that get’s installed. My guess is that it could be some sort of RAT or a Ledger Live clone, but the latter should prove rather more difficult to elaborate and set into motion.

Edit:
There’s an entry on the above provided Reddit link that states:

its freaking well done, u click on the link, it redirects u to the official ledger site, and at the same time automatically downloads of the scam ledger-live on the background --- newbies will fall for it, ledger should immediately send out an email

Ledger is being slow displaying information on their site about this specific phishing attempt, specially after their past data breach. The only thing I've found is this, and is generic and prior to this attemp (5 day old blog post):
https://www.ledger.com/ongoing-phishing-campaigns

Edit2: The fake Ledger Live may be asking you to change your pin, and (classic here), requiring your 24 mnemonic in order to do so (see https://peakd.com/ledger/@hatoto/your-ledger-wallet-may-be-compromised-ledger-phishing -> Google translate the last big paragraph).

If I had clicked the link and downloaded the software, I would have downloaded a malicious software update for Live Ledger. If I had installed this, I would have been asked to change the PIN of my hardware ledger after the start. This is only possible by entering my 24 secret words. This would have given the hackers my 24 secret words with which they could have fed their own hardware ledger so that they would actually have access to my credit.

[jackg]

Yes they had some July 2020 e-commerce and marketing data breach.
I can't be sure this is related with latest phishing, but else is everyone getting this emails.
Here is their explanation from July:
https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach

Wow! They've had at least 1 million customers, thats surprising to me.

And yeah I guess this could've been due to employees having to work from home or something too during the pandemic (and sometimes ecc is slow for certain operations).

[Smartvirus]

one needs to be always wary and never download anything from an email, but rather always visit the original site (and not from a link on the email, if present).

This is the part that gets most anxious users with a need to be quick in getting out of the lame light into trouble. It makes you elude all the critical steps to determining the authenticity of the email and link.

Again, Ledger expresses a lot of uncertainty in the data breach they experienced lately as contained in this statement;

''On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation. A week after patching the breach, we discovered It had been further exploited on the 25th of June 2020, by an unauthorized third party who accessed our e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."
https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach

It's very possible that they are yet to be certain on other areas or length to which the breach was reached as it is by a bounty researcher that discovered an raised alarm of this on 14th June and again another was discovered on the 25th July. A complete swipe should be done on all aspect of their services not only the e-commerce section of not done already.

[khaled0111]

There’s an entry on the above provided Reddit link that states:

its freaking well done, u click on the link, it redirects u to the official ledger site, and at the same time automatically downloads of the scam ledger-live on the background --- newbies will fall for it, ledger should immediately send out an email

Is it possible to compromise the whole server through an API key?
Either the attacker succeeded to inject some malicious codes into their databases or that user clicked on the fake link which redirects to a completely different server:
Warning: phishing website!

They used website with letter ė with dot above:


https://i.imgur.com/7bBrVE1.png

With ~1M leaked emails, certainly there will be many victims!

[OcTradism]

They used website with letter ė with dot above:


https://i.imgur.com/7bBrVE1.png

It is a punnycode  (homograph) phishing attack. Scammers use it to steal password, get access to accounts and withdraw funds. Punycode and how to protect yourself from Homograph Phishing attacks?

If a person logs in account on a phishing site, their account will be compromised but if email and 2FA application are logged in and stored on a different device, fund in compromised account can not be withdraw. Hackers or phishers can not get access to email, and 2FA application then 2FA code for confirmation of suspicious IP address or to confirm withdrawals.

Unfortunately many people store all eggs on a single device: exchange accounts (login, password), email (always login), 2FA application. If that device is compromised, they will lose money.

[libert19]

This seems legit af, I wouldn't be surprised if someone fell for it.

[Lycan70]

I'm recieving many emails daily, my solution is deliting it without opening the suspescious emails. I once been a victim of phishing emails like this so I am fully aware of it.

[notblox1]

bump.

This thing is still active and customers are still getting fake Ledger phishing emails!

Now they are using new phishing domain legder.com

Code:

support@legder.com

https://twitter.com/CriptoMonedasTV/status/1321165145985503234


https://twitter.com/mrJX43042525/status/1321153680469561345

[notblox1]

People are now getting SMS messages telling them to go to phishing Ledger sites like Ledger(.)media or Ledger(.)report or Ledger(.)legal !

They probably have all customers phone numbers from ledger database hack that happened few months ago.

[Pmalek]

More than likely that the phishing campaigns is directly related to the data breach (perhaps not limited to).

It sure is. I wrote about it in the hardware wallet section. My friend who received the parcel with my Ledger received the same type of email. The email got sent to him but they address me with my first name. I added my identity information when I filled out the purchase form. Another combination with my name and his email address doesn't exist.

Ledger is being slow displaying information on their site about this specific phishing attempt, specially after their past data breach. The only thing I've found is this, and is generic and prior to this attemp (5 day old blog post):
https://www.ledger.com/ongoing-phishing-campaigns

They are busy preparing for the BCH hard fork, so they don't have much time to handle such trivial things as the security of their users and their funds

They made a series of security and phishing-related tweets. I guess that's the best we can get from them.
https://twitter.com/Ledger/status/1320741436258766849

[DdmrDdmr]

If anyone want’s to take a look at the screens and specifics that these fake Ledger phishing attempts leads to, the link below provides them for a couple of recent cases:

a)   Using a backdoored capped Ledger Live application.
b)   Web-based site, redirected from those SMS messages people have been receiving.

see: https://www.proofpoint.com/us/blog/threat-insight/persistent-actor-targets-ledger-cryptocurrency-wallets

[Mr.right85]

Even the various phone and laptop programmers have programmed these devices on default to allow downloads and installation from only safe sources such as Google play store but, in other to make maximum use of our so called xender, we go as far as changing the do not allow default settings to allowing installation from unknown sources.
All these because, we hope to save ourselves the time of downloading and data too. While we forget that, this small negligence can cost us more in the future.

[OcTradism]

Even the various phone and laptop programmers have programmed these devices on default to allow downloads and installation from only safe sources such as Google play store

Google Play is not safe. They don't investigate applications too deep and careful before they accept listing applications on Google Play. It is less safe than Apple Store and on Google Play you will meet many fake applications.

If you want to find apps or want to download any crypto apps, go to official sites and get links to download it on Apple Store or Google Play. Don't search with app stores or with Google search.

Officially visit websites & download apps, not fake ones.

[taufik123]

Even the various phone and laptop programmers have programmed these devices on default to allow downloads and installation from only safe sources such as Google play store

Google Play is not safe. They don't investigate applications too deep and careful before they accept listing applications on Google Play. It is less safe than Apple Store and on Google Play you will meet many fake applications.

If you want to find apps or want to download any crypto apps, go to official sites and get links to download it on Apple Store or Google Play. Don't search with app stores or with Google search.

Officially visit websites & download apps, not fake ones.

Google play store is not too safe and don't trust 100% with the applications in it. because there are several fake applications that have been successfully entered and downloaded by many users.

The best and safest way is to download the application via the official website because there will be an embedded link and can be downloaded safely. but be careful of phishing websites and the like.

About the posts described by the OP regarding Email Legder and SMS phishing can be avoided if you stay alert and pay attention to every email detail and embedded link. Email will usually go to the SPAM folder

[mixerbtc]

New users, keep this in mind! Never share your password with anyone, regardless of what they say. When accesing a site where you enter sensible data, don't click on hyperlinks. Navigate to it by yourself!