Ledger SMS phishing campaign - new attempt, not too subtle

[DdmrDdmr]

Carry on phishing attempts after data breach..
 
Some Ledger customers have started to receive today a new phishing SMS, with the following pretext (or similar) (*):

Code:

Name Surname Withdrawl request from new Device (IP China, Macau). 
Edit or Cancel details: ledger[dot]com-device[dot]id73457[dot]app/activity

The Id does not seem to be unique per recipient, as I’ve seen a couple of different people receive the same message (and played round with the URL to see it another number led to the site).

The URL takes you to a fake Ledger site, where, once you select your model, it asks you to plug-in your device. No real need to though. It then leads you on to the following screen:



No need to say what will happen if anyone proceeds to provide the above information...

See: https://www.reddit.com/r/ledgerwallet/comments/k2tb69/unknown_withdrawal_request_sms/

(*) I have not seen any prior message on the forum reporting this specific URL provided in the received SMS.

[Upgrade00]

For those not aware; earlier this year ledger website was hacked, exposing sensitive details of a number of users to a malicious third party - https://news.bitcoin.com/crypto-hardware-wallet-firm-ledger-hacked-one-million-customer-emails-exposed/ The breach was solved, but the information were already exposed, those details are now being used to carry out personalized phishing attempts.

I could not find any news about the affected users being messaged and warned of their data leak inorder for them to take precaution and disregard any unsolicited messages, as some of them could have likely missed the publication. I assumed this would be safe practice to protect victims of the hack.

[abdulodoi]

This is now a massive attack on Ledger users which is quite tricky. Seeing they've tried multiple times to steal from ledger users, most people won't fall for this. Ledger still need to alert their users appropriately about this phishing attempts and also things to look out for to be safe. I ordered and receive my ledger nano two days ago and haven't even opened it , waiting for all these scamming attempt to blow over first.

People just need to be very alert especially when phishing email/text is sent to them. They need to always triple check these things

[khaled0111]

I assume the attackers got the customers' mobile numbers from the recent data breach!
This sounds more dangerous than the email phishing attack. Phishing sms are less common and most users aren't aware of such attack, so I expect many will be tricked this time.
Seriously Ledger team has to do something to stop this but I don't know how they are going to reach out to more than 1 million customers!

[boyptc]

I own a Ledger but luckily I haven't received that kind of sms.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Thanks for the up.

[AB de Royse777]

I own a Ledger but luckily I haven't received that kind of sms.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Thanks for the up.

It's the after effect of the hack.  Ledger users are receiving emails, receiving SMS from scammers and I suspect these scammers are the same people who hacked their database and sold it in black-market.

[Coyster]

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Of course, but the thing is at least one or two people will prolly click the link, maybe those who were not aware of the data breach or those who don't really verify information when they receive them, but just go ahead to trust it; I know ledger owe it to their customers to make sure they keep them abreast with information and follow up if their data was leaked to the black market and warn them to be on the look out for phishing attempts, but users as well, should take responsibility and avoid clicking random links without proper verification, after all a hw wallet doesn't automatically mean you should forget security protocols as any little folly of yours would still amount to your funds being gone.

[mk4]

Heads up to those receiving these SMS messages and emails: since the mobile numbers and SMSs has leaked, it's most likely just going to get worse from here. It'd probably be wise to already change email addresses and mobile numbers.

[dkbit98]

Thats what you get when you pay for ledger device.
You basically gave your data, phone number and address to scammer hackers, and even paid them to do it, because ledger founders are amateurs working in some village garage.
I sent them email asking about this issue and I only got stupid automatic machine generic answer, and they are deleting and locking many topic on reddit, like this one OP posted for example.

[DdmrDdmr]

Ledger claimed back in July that, besides the 1M breached emails, there was an aditional subset of 9.500 customers, whose personal data was also exposed (name, surname, postal address, phone, purchases). Those 9.500 customers allegedly received a dedicated specific email to state the above.

I can attest that either the above email protocol was not carried out properly, or what’s much more likely, Ledger is not aware of, or has covered up, the real extent of personal data records breached. There a multiple reports of people that state not receiving the dedicated email, and yet did receive one or multiple nominal phishing attempt. I include myself amongst these.

[boyptc]

I own a Ledger but luckily I haven't received that kind of sms.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Thanks for the up.

It's the after effect of the hack.  Ledger users are receiving emails, receiving SMS from scammers and I suspect these scammers are the same people who hacked their database and sold it in black-market.

Yeah, for sure they were the same people.

As long as those receivers of that phishing SMS won't entertain and click the link it has attached, they'll be fine.

Of course, but the thing is at least one or two people will prolly click the link, maybe those who were not aware of the data breach or those who don't really verify information when they receive them, but just go ahead to trust it; I know ledger owe it to their customers to make sure they keep them abreast with information and follow up if their data was leaked to the black market and warn them to be on the look out for phishing attempts, but users as well, should take responsibility and avoid clicking random links without proper verification, after all a hw wallet doesn't automatically mean you should forget security protocols as any little folly of yours would still amount to your funds being gone.

I just hope that no one would ever click the link even those people who are not aware of the breach. I'm sure that many Ledger owners are responsible and won't bite on those baits.

[joniboini]

There are anti-fishing extensions for browsers  that may help  protect against such tricks. Everyone is free to install them.

Most of the time they depend on a database, so if a new website is not yet included in the database it might be useless. The best protection is to be aware of the phishing e-mail/message and just ignore it.

[DdmrDdmr]

Today’s new Smishing wave bears the following message:

Your hardware wallet has been deactivated. Due to the new KYC regulations, you are required to pass verification: ledger[dot]com[dot]device[dot]id[dot]nnnnnn[dot]app/verification

Where "nnnnnn" is a six figure digit, which I’ve yet to see if it is customized or generic. The subsequent screens on the site are the same as described in the OP (I've only seen the error code change at the top of the page, in relation to the one shown in the OP).

Again, the numeric id does not seem to be personal (I've tried of bunch of different numerical variants that do not result in a valid domain), but I can’t attest to that as an empirical fact. As more reports roll in reports over the internet, I’ll be able to contrast the reported ID in the domain.

KYC of all the lame excuses, being used as a move to action …

[cryptomaniac_xxx]

Ongoing phishing campaign - WARNING Ledger scam email be aware!

website:

Code:

http://ledġẹr.com/
xn--ledr-dxa0756b.com

Supposedly contact and support email address:

Code:

contact@legder.suport 

[DdmrDdmr]

Yep, these phishing attempts are now the never-ending story. I saw one on my spam folder this past weekend, with a content similar to this:

From: ledger Alerts noreply@ledger.com-m31-email-m6-encryption.rk28-email-ssl.cloud

Your Ledger Hardware Wallet has been deactivated.

Unfortunately, due to the new KYC policy, you are required to confirm your identity:
https[colon]//docs[dot]google[dot]com/document/d/e/2PACX-1vQjTM5NpOsIYz97qt6Bv8fdTUfMBReCqiBkilPtyKxqN5BSuGVEa7wWF5butVwiI-y1h-qN7oTMKCur/pub?embedded=true

Ledger Verification TeamW67PT8Q04WK-994

The above wasn’t the exact content I received (the above content was reported on Reddit). The sender is different, the inner link is also different, and the Team reference differs. I haven’t seen the above case reported too widely on the internet, so again, we can be sure they are using variations of the content, but not certain about whether these variations are meant to be nominal/personal or just different batches.

Additionally, I was referenced in my spam-blocked email in the BCC field, being able to see the intended main recipient’s email in full (likely therefore, another Ledger customer). This means that, likely, any email may have been included as recipient or BCC, giving cross-visibility to other leaked emails. 

[abdulodoi]

Ongoing phishing campaign - WARNING Ledger scam email be aware!

website:

Code:

http://ledġẹr.com/
xn--ledr-dxa0756b.com

Supposedly contact and support email address:

Code:

contact@legder.suport 

This is just getting even more ridiculous. Ledger users attacks keeps happening concurrently now and sometimes ledger sends warning emails about phishing attempts late to their users hence several gullible users will fall prey to this scam. Any email that request for private keys, recovery phrase, passwords and pin are obviously fake and people should always be alerted about it.

[DdmrDdmr]

Now the scammers are using the phone list to perform a cross-product smishing attempt. Specifically, the SMS that has recently been sent out stated:
 

"You have received 0.08155120 BTC, please login and confirm: HTTPS[colon]//BLOCKCHAlN [dot]IO

Not only is the domain (IO) not the official domain, but also if you take a closer look, you’ll see (just about) that the "I" in the domain name is really a lowercap "L", that is slightly taller than the "I" -> "Il" (the former is a capital I, whilst the latter is a lowercap "L").
 
One more thing to be wary of …

[Smartvirus]

"You have received 0.08155120 BTC, please login and confirm: HTTPS[colon]//BLOCKCHAlN [dot]IO

Not only is the domain (IO) not the official domain, but also if you take a closer look, you’ll see (just about) that the "I" in the domain name is really a lowercap "L", that is slightly taller than the "I" -> "Il" (the former is a capital I, whilst the latter is a lowercap "L").
 
One more thing to be wary of …

I see that now by just comparing this Original : Fake (IO : lO) (Il). It's just right there in plain site and it tells how clever this scammers can be in hiding little details in plan sight. A skill that could be put in web designing though, the pay is relatively low but how good you are gets you in on the job.

Ledger is so going to be loosing a lot of customers if this menace to their system isn't properly handled and should a more competitive platform come along. Ledger users have now got to cut down the services they require based on details needed for verification you. You just don't have to give too much details to a third party platform.

[Dave1]

Latest:

Code:

thompsonxeexx30@gmail.com.

Sample email that you are going to received, so it's a google docs now



But after you click the google docs, you will be redirected to:



And again, redirecting you to the fake and phishing Ledger site:



Source So this one is utilizing google docs and then several redirection, which might confuse Ledger user and think that this is legit.

[DdmrDdmr]

There are probably no better phishing/smishing/sim swapping/marketing lists out there that Ledger’s leaded set of files (email, orders); certainly not for free as these now are.

Those phones and emails are going to be hit time and time again will all sorts of pretexts. There’s currently a new one on about claiming your (alleged) Bitcoin SV, which is likely ending up in the spam folder. Very likely they are targeting the Ledger email list with the Bitcoin SV excuse, not referencing the Ledger event in order to add another vector of attention and bait.