New Ledger phishing mail targets individual users

[Pmalek]

A new and well-written Ledger phishing mail is circulating. What is special about this one is that it is not only well written but it also addresses you with your first name. It is not a mass mail delivered to thousands of email addresses, it has only one receiver and targets one particular recipient. That means that someone who has access to the leaked database of Ledger users is probably sending those mails. 

The scammer claims that malware was detected on Ledger servers and that your crypto assets could be stolen. Anyone who received the mail is affected according to the sender. The mail suggests to download the latest version of Ledger Live. There is a link to it in the email. Users are also told to set up a new pin.

Users of this forum are already experienced enough to recognize this type of scam, but it never hurts to keep an eye out.
The sender of the e-mail is: info@ledgersupport.io

My friend abroad who got my Ledger device delivered to his house sent me this screenshot.






 

[1713573189]

1713573189

[dkbit98]

Ledger is reckless and I am not at all surprised to see this, and I even said this was going to happen in July when that shit happened.

Now let's look how Ledger company values our privacy NOT.  

I did a small website domain search and I found something interesting here Ledger vs Trezor Tracking & Cookie privacy competition

This is not necessarily true. Someone could have access to another leaked database that includes your name, and are sending emails to every email in that database.

If your email is in a database for one major crypto company, there is a good chance that you will also receive mail from another major crypto company.

Dude, he clearly said it was email from his friend abroad who purchased Ledger for him.

[Pmalek]

@PrimeNumber7
No, that can't be the case here. It can only be the Ledger database that got leaked and here is why. The Ledger database contains my name but my friend's email address. That combination doesn't exist anywhere else, because I have never used his email together with my name, except when I purchased my Ledger. He was the one who received the package, and I registered his email so can be get updates and info about shipping, tracking, etc.

What is interesting is that users on different websites are reporting at least 2 different dates used as the alleged time when malware was discovered on the servers, but the rest of the email is the same.  

[Csmiami]

I have jsut received an SMS (lmao) from Ledger asking me to update the firmware because "the previous one has a bug". I was surprised that I had not received any email with the phishing attempt, because I had bought a couple of Ledgers back in April, but if no one else confirms they have received a similar message, I think it's safe to assume that they divided the database in 2 to try to reach to more people using different methods?

PS: I assume it's a phishing attempt because the website it asks me to check is https://ledger.legalwebsite (most likely my phone cut the link)

[dkbit98]

Ledger company is total bullshit and (no)actions from them after hack/leak they had in July silenced almost all of their supporter or should I say blind believers in this forum
Everyone who purchased their shit is now bombarded with emails and sms messages, and they still don't admit relations with July hack.
How more stupid they can be, or they just think all their customers are stupid.

[LeGaulois]

shit inside

You're lying

They did take actions after the breach, what did you expect from them? To call the army? To send a message to Jesus Christ to come back and punish the culprit?

- They informed the CNIL since the french law requires to do it in such a situation
- They filled a complaint to the authorities
- They informed the customers concerned

Legally, they did everything they needed to do.

As a reminder, it concerned the eCommerce data and had no impact on devices security or whatever

Audited their system with the help of Orange Cyberdefense, still monitoring some stuff, and without posting details here they're taking some others steps


How can you say no action is taken? FYI, no everyone "who purchased their shit" is bombarded with email/SMS. Check your facts before

[dkbit98]

You're lying and full of shit

Thank you for kind words Ledger worshiper  

I see deluded Ledger believers are still alive, or maybe you are part of stinky Ledger team?

Please show me where they said that all data from customers have been stolen including phone numbers, emails, full names and addresses?

They care more about fucking Bcash and Roger Ver

Here is your fucking shit website:


https://archive.vn/2C1LX

Eat that fork shit and bon appétit


Let's look at official statement from July:
  

Contact and order details were involved. This is mostly the email address of our customers, approximately 1M addresses. Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.

https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach

I should believe them that 1 million email addresses is exposed, but only 9500 with other data? Yeah right...

[btcwish1]

I received the email today. To be brutally honest, at first glance I thought it was authentic and was sent from Ledger!.

The email is really convincing and copies all the styles and formatting of the original emails from the ledger company. I then checked the 'download' link and then i realized it's a phishing email because the link is clearly not from ledger!.

I am sure lot of innocent newbies will fall for this very phishing email  SIGH

[LeGaulois]

...

You're truly full of shit. Funny how now you try to twist the problem you stated. You stated no action has been taken since and I showed otherwise and this is the main point

Check their blog perhaps. I also believe it was stated in the emails sent to customers. And surely all over the web mentioning this news

I see deluded Ledger believers are still alive, or maybe you are part of stinky Ledger team?

it doesn't interest any user here and there is no point in trying to change the direction of the discussion


Talking about the blog's post regarding Btrash, did you at least read it? Perhaps you should before posting a stupid argument

[bob123]

People receive phishing mails all the time.
What is the big deal with this one?

Just because you bought a ledger and receive a ledger phishing mail?
Customers of coinbase also receive phishing mails "from coinbase". Customers of the bank of america also receive phishing mails.

Checking an email for authenticity is not too hard.
Already the senders address ledgersupport.io is enough to expose that mail as a phishing attempt.
If people don't even check the senders address, then they can be bribed into doing anything via email. They would fall for the classical nigerian prince. Nothing you can do to help those people. They got to learn it the hard way.

[Csmiami]

----

Even if I do agree with everything that has been said, most phishing attempts are usually generic and idiotic most of the times; in this particular case, attacks are targeted, because the scammers had access to the database of the company. And apart from that, there's many things on how the company has handled the situation that are questinable to say the least.

First of all, they did claim that only 9.500 out of 1.000.000 users had more than the email leaked; or that is what I understand here:

This is mostly the email address of our customers, approximately 1M addresses. Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products

This is, at least for me, hard to believe. Number seemed too low in comparison, but whatever. Then, there's this:

Those 9500 customers whose detailed personal information are exposed will receive a dedicated email today to share more details.

Surprise surprise; I've checked back all the emails Ledger sent me around that time, and besides the general email (saying the same that the blog entry says), I did not receive any "dedicated email", but what I have received is a SMS addressing me by the name I provided to the company at the time I made my only purchase to them. This leads me to believe that I was between those alleged 9.500 users, but was never notified.

Now, at no moment I'm saying that people shouldn't be careful when opening links and stuff, and I know there are many ways of getting somehow dedicated phishing attempts; mostly because bad internet browsing habits, but this is a different case. And again, we are not discussing the quality of the attempt.

I will also add that I'm seeking some legal advice to see if I can open a claim against Ledger for the way they've had handled things. First of all, I consider a company that sells hardware wallets should have an above average cybersecurity protocols/development/call it the way you want to call it. It's true that we are human and they can, as any other company can, get hacked and have customer data leaked; but the way they've handled it... that what really bothers me. Once I receive some kind of answer from my advisor, I will either simply update this post, or if there's something that can actually be done, I may create a whole thread just to let affected people know.

[dkbit98]

People who are defending company Ledger in this case are probably paid shillers and should not be trusted at all.
Let's hope enough people will sue Ledger for not keeping data safe, and exposing all to hackers.
Their lack on care and privacy for customers can also be seen on their website that is full of adds and trackers:


https://themarkup.org/blacklight?url=www.ledger.com

I will also add that I'm seeking some legal advice to see if I can open a claim against Ledger for the way they've had handled things. First of all, I consider a company that sells hardware wallets should have an above average cybersecurity protocols/development/call it the way you want to call it. It's true that we are human and they can, as any other company can, get hacked and have customer data leaked; but the way they've handled it... that what really bothers me. Once I receive some kind of answer from my advisor, I will either simply update this post, or if there's something that can actually be done, I may create a whole thread just to let affected people know.

I fully support you here.
Better to react now than to wait for them to mess up something more serious like firmware for example.
They need to be much more serious, and not act like bunch of junkies from garage.

My conclusion is that I will never again recommend Ledger wallet to anyone, and will tell people to use alternatives like Trezor.

[Pmalek]

Surprise surprise; I've checked back all the emails Ledger sent me around that time, and besides the general email (saying the same that the blog entry says), I did not receive any "dedicated email", but what I have received is a SMS addressing me by the name I provided to the company at the time I made my only purchase to them. This leads me to believe that I was between those alleged 9.500 users, but was never notified.

That is worrying. That can mean that they either don't know what was leaked and in what quantities, or they are lying about it so as not to cause further harm to themselves and potentially lose customers.

Another thought. Those official messages that Ledger sent to their users informing them about the security breach, could have been marked as spam by your email client. In that case they would be deleted by now. Hotmail, for example, deletes spam messages after 10 days, but I am not sure if they move them to the trash bin or if they get removed entirely. You say that you checked now, but a lot of time has passed. You don't remember seeing any at the time?  

I will also add that I'm seeking some legal advice to see if I can open a claim against Ledger for the way they've had handled things.

I would be interested to learn what you find out.

[Csmiami]

That is worrying. That can mean that they either don't know what was leaked and in what quantities, or they are lying about it so as not to cause further harm to themselves and potentially lose customers.

Nothing that would actually surprise me; if the leak was of close to 1.000.000 customers, and EVERYONE was affected, can you imagine the bad press, and even panic that would come? It wouldn't matter that the wallet related information or stuff was still safe, they'd be facing many many loses.

Another thought. Those official messages that Ledger sent to their users informing them about the security breach, could have been marked as spam by your email client. In that case they would be deleted by now. Hotmail, for example, deletes spam messages after 10 days, but I am not sure if they move them to the trash bin or if they get removed entirely. You say that you checked now, but a lot of time has passed. You don't remember seeing any at the time?  

Altough possible, that is highly unlikely. I have a mail tab always open in one of the monitors I have, and I check every inbox everyday.

[o_e_l_e_o]

Surprise surprise; I've checked back all the emails Ledger sent me around that time, and besides the general email (saying the same that the blog entry says), I did not receive any "dedicated email", but what I have received is a SMS addressing me by the name I provided to the company at the time I made my only purchase to them. This leads me to believe that I was between those alleged 9.500 users, but was never notified.

Possibly. Or possibly your email address was enough to de-anonymize you. Between publicly viewable information on Google, Facebook, Instagram, Twitter, LinkedIn, etc., and a variety of private database hacks and leaks, often an email address is more than enough to find all your personal details. Have you used that email elsewhere? Is it the same email you use for crypto exchanges or services in which you have completed KYC?

First of all, I consider a company that sells hardware wallets should have an above average cybersecurity protocols/development/call it the way you want to call it. It's true that we are human and they can, as any other company can, get hacked and have customer data leaked; but the way they've handled it... that what really bothers me. Once I receive some kind of answer from my advisor, I will either simply update this post, or if there's something that can actually be done, I may create a whole thread just to let affected people know.

I wish you luck, and I completely agree that Ledger should have better security in place, but I suspect you will get nowhere. There are plenty of far more egregious hacks, leaks, and vulnerabilities in the crypto space, including huge losses of money and losses of far more personal information, including KYC data and scanned documents, all of which have resulted in no action against the companies responsible. In terms of how Ledger handled it; what would you have had them do differently? As LeGaulois has said above, they took all reasonable steps following the breach.


This serves to highlight that your personal information is your responsibility. If you give it to anyone, even companies you trust or think you can trust, even security related companies, even huge reputable exchanges, you are putting it and yourself at risk.

[Csmiami]

-----

Wooops, this post did slip trough the cracks, sorry for the late reply....

First of all, no; altough possible it's highly unlikely that the email used was enough to deanonymize me, as I use different addresses for personal and crypto stuff (addresses in plural) and never mix them up. I had never before used that email together with the phone number or the name I provided to Ledger, so I'm pretty confident that the leak came from them.

Now, I don't know how I would've handled that if I was Ledger, because I have little to no idea about personal data handling regulations. I know however, that if they claimed to only have 9500 affected users, and I was not between those users but now it turns out I am; there is something that they have not done correctly; and that's exactly what I'm after.

[Lucius]

Now, I don't know how I would've handled that if I was Ledger, because I have little to no idea about personal data handling regulations. I know however, that if they claimed to only have 9500 affected users, and I was not between those users but now it turns out I am; there is something that they have not done correctly; and that's exactly what I'm after.

I think Ledger manipulated the numbers a little (maybe a lot), and also that there may have been omissions when sending alerts via email. What is the case with me on Gmail (and confirmed by others) that many legitimate Ledger emails end up in a spam folder - did you perhaps check there? Of course now it's probably too late for that, because at least in the case of Gmail such emails are deleted automatically after 30 days.

As for the SMS, can you tell us from which network/country it was sent? Most smartphones have the function of blocking calls and messages from a certain number, maybe the attacker uses the same number so some could block it in advance.

[Csmiami]

What is the case with me on Gmail (and confirmed by others) that many legitimate Ledger emails end up in a spam folder - did you perhaps check there? Of course now it's probably too late for that, because at least in the case of Gmail such emails are deleted automatically after 30 days.

Altough likely, it's quite improbable because I regularly, not to say daily, check all my inbox folders on every email.

As for the SMS, can you tell us from which network/country it was sent? Most smartphones have the function of blocking calls and messages from a certain number, maybe the attacker uses the same number so some could block it in advance.

I wish I could; I don't know if it's a feature from my phone or something the sender set up, but the only thing I see in the sender info is "LEDGER". No number, nothing else.

[Pmalek]

What Lucius mentions is certainly possible. It would be interesting to see if there are more cases like Csmiami, where users never received that additional email from Ledger, but somehow ended up receiving spam/phishing SMS messages. And what are the email providers they used.

A few years ago at work, I stopped receiving work-related emails to one of my Hotmail accounts. Other colleagues who weren't using Hotmail, received them just fine. After discussing the issue with my team, I decided to switch from Hotmail to Yahoo, because most of them connected their Yahoo accounts. It never happened again.

When I was using Hotmail, the emails stopped coming altogether. They weren't sent to my spam folder. I didn't get them at all.      

[Lucius]

I wish I could; I don't know if it's a feature from my phone or something the sender set up, but the only thing I see in the sender info is "LEDGER". No number, nothing else.

I have to admit that it was quite naive of me to think that those behind this attempt at phishing would not protect themselves, and this is definitely possible if you use one of the many services that offer anonymous texting. Many years ago I used such services to prank my friends, and now they are used for some much more serious things. The option I have on my smartphone allows me to block all messages or calls coming from an unknown sender, but although it has its advantages, it can also block a completely legitimate call or message.

The only thing left for us is to be careful and not click on the links that come to us in SMS and e-mail messages - and more importantly know that we never enter the seed anywhere else except in the hardware wallet itself.