Bitcoin Forum
March 19, 2024, 06:25:04 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: {WARNING} FAKE Trezor website - Phishing Attempt!  (Read 176 times)
PhoenixZephyrus (OP)
Full Member
***
Offline Offline

Activity: 155
Merit: 102


View Profile
January 28, 2021, 01:05:47 PM
Last edit: January 28, 2021, 02:19:46 PM by PhoenixZephyrus
Merited by DdmrDdmr (2), The Cryptovator (2), Pmalek (1), aoluain (1)
 #1

A fake website is trying to lure people in with phishing attempts, pretending to be the website of the crypto wallet, Trezor. Their URL looks just like the original one, except for the accent at the bottom of the letter "e", which many users might not notice. Please try staying away from this website, and check the URL and always check for HTTPS encryption (this website is not encrypted and thus shows up as "Not Secure" in most browsers).

Please see the difference here:



The first one (FAKE) doesn't have the padlock, which indicates HTTPS encryption, which means that the first site is not secure. Also, when pasting that fake link into a notepad, the plaintext comes out to be:
Code:
http://xn--trzor-k0a.io/

This is actually the URL of the website. This is a kind of attack where unicode characters are used to disguise the real letters. This is also common with Russian characters, a lot of them look similar but are actually different from the English characters that are used in URLs. Another common thing its used is in spoofing "l" with "I", as they look similar in a lot of fonts (actually, most of the sans serif fonts). You can read more about this attack on here : IDN Homograph Attack Wikipedia

I thought of warning the community, as any beginner wanting to purchase a Trezor hardware wallet might get scammed and phished if they are redirected to this URL by clicking on a link on any website. Stay vigilant, people.

Reddit post that brought the issue to my notice: https://www.reddit.com/r/hacking/comments/l6snf7/url_manipulation_on_phishing_site_never_seen_this/
1710829504
Hero Member
*
Offline Offline

Posts: 1710829504

View Profile Personal Message (Offline)

Ignore
1710829504
Reply with quote  #2

1710829504
Report to moderator
1710829504
Hero Member
*
Offline Offline

Posts: 1710829504

View Profile Personal Message (Offline)

Ignore
1710829504
Reply with quote  #2

1710829504
Report to moderator
1710829504
Hero Member
*
Offline Offline

Posts: 1710829504

View Profile Personal Message (Offline)

Ignore
1710829504
Reply with quote  #2

1710829504
Report to moderator
Every time a block is mined, a certain amount of BTC (called the subsidy) is created out of thin air and given to the miner. The subsidy halves every four years and will reach 0 in about 130 years.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
Pmalek
Legendary
*
Offline Offline

Activity: 2702
Merit: 6996


Farewell, Leo. You will be missed!


View Profile
January 28, 2021, 01:44:42 PM
Merited by hugeblack (2), PhoenixZephyrus (1)
 #2

This is also known as a Homograph attack or Punycode phishing. It can be detected and you can configure your browser to display the original site and not the fake version.

wwzsocki has written about this in great detail. You can find his thread below:
Punycode and how to protect yourself from Homograph Phishing attacks? 

HTTPS encryption means nothing nowadays. You can purchase cheap SSL encryptions for a few dollars. The best thing to do is to type the site manually in the browser and bookmark the legit version. Never rely on Google searches, especially on google ads to take you to site where you are required to enter private or financial information.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
DdmrDdmr
Legendary
*
Offline Offline

Activity: 2254
Merit: 10605


There are lies, damned lies and statistics. MTwain


View Profile WWW
January 28, 2021, 03:40:42 PM
 #3

Pretty classical. As soon as you start moving around the site, you’ll find that not much occurs until you click the "I already own Trezor" link. From there on, it states that your device’s data is corrupt (seemingly determined through clairvoyance), and proceeds to ask for your 12 or 24 mnemonic word seed. I chose the former to leave a light hearted message to the scammers (12 slang words seem easier than coming up with 24).

Site is recent:
Code:
https[colon]//www.name.com/whois-lookup/xn--trzor-k0a[dot]io

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
PhoenixZephyrus (OP)
Full Member
***
Offline Offline

Activity: 155
Merit: 102


View Profile
January 28, 2021, 03:48:02 PM
 #4

Pretty classical. As soon as you start moving around the site, you’ll find that not much occurs until you click the "I already own Trezor" link. From there on, it states that your device’s data is corrupt (seemingly determined through clairvoyance), and proceeds to ask for your 12 or 24 mnemonic word seed. I chose the former to leave a light hearted message to the scammers (12 slang words seem easier than coming up with 24).

Yes, this seems like a half-assed attempt at best, but still that is enough to fool some less tech-savvy users, if they see enough of this link, some might think its legit and put their actual seed into this. The website on its own is pretty shoddily designed, but I guess they don't see much point in that as if someone can be fooled by these websites, most probably they do not have enough technical know-how to find these flaws.
pakhitheboss
Hero Member
*****
Online Online

Activity: 2058
Merit: 734


Top Crypto Casino


View Profile WWW
January 28, 2021, 04:05:43 PM
 #5

This is also known as a Homograph attack or Punycode phishing. It can be detected and you can configure your browser to display the original site and not the fake version.
I am sorry to say but it is not required if your browser is up to date. The next thing you can do it download Firefox browser it comes with these anti mechanism.
Quote
wwzsocki has written about this in great detail. You can find his thread below:
Punycode and how to protect yourself from Homograph Phishing attacks?  

HTTPS encryption means nothing nowadays. You can purchase cheap SSL encryptions for a few dollars. The best thing to do is to type the site manually in the browser and bookmark the legit version. Never rely on Google searches, especially on google ads to take you to site where you are required to enter private or financial information.

HTTPS means secure in Google terms. It does mean a lot of you are making purchase or dealing with fiat. Please do not say it does not mean anything.

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
aoluain
Legendary
*
Offline Offline

Activity: 2198
Merit: 1240



View Profile
January 28, 2021, 04:59:26 PM
 #6

They are still at it, and will continue to catch people out.
It is very helpful to post this and make as many people aware of such
scams. Unfortunately though I'm sure people have fallen already to
this scam.

Simple things can do done by everyone before clicking links
Double check the name I.E Trezor
and address I.E Trezor.io
Verify from the official website
Always be sceptical
Every time you want to open your wallet treat it like someone is watching you
and wants to scam you

I posted something similar back in 2019, I came across a fake AD
on a Google search.

You can see the FAKE AD was listed on top of the OFFICIAL Trezor search result,
the address was just slightly different, they had trIezor




███████████████████████████████
███████████████████████████████
███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███████████
█████████████▀▀        ▀▀██████
██████▀▀▀▀▀▀              ▀████
██████████▀     ▄▄██▄▄     ▀███
██████████      ██████      ███
██████████▄     ▀▀██▀▀     ▄███
██████▄▄▄▄▄▄              ▄████
█████████████▄▄        ▄▄██████
███▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄███████████
███████████████████████████████
███████████████████████████████
.
|
▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
▄███▀▄▄███████▄▄▀███▄
▄██▀▄█▀▀▀█████▀▀▀█▄▀██▄
▄██▄██████▀████░███▄██▄
███░████████▀██░████░███
███░████░█▄████▀░████░███
███░████░███▄████████░███
▀██▄▀███░█████▄█████▀▄██▀
▀██▄▀█▄▄▄██████▄██▀▄██▀
▀███▄▀▀███████▀▀▄███▀
▀████▄▄▄▄▄▄▄████▀
▀▀███████▀▀
SSC NAPOLI
OFFICIAL EUROPEAN
BETTING PARTNER
|.ROLLBOTS.|
▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀█████▄
▄█████████▀████████▀████▄
██████▄▄▄█████▄▄█████████
█████████████████████████
██████▀▀▀█████▀▀█████████
▀█████████▄████████▄████▀
▀██▄▄▄▄▄▄▄▄▄▄▄▄▄▄█████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀
ROLLBIT COIN
TRADE RLB NOW!
|...PLAY NOW...
bL4nkcode
Copper Member
Legendary
*
Offline Offline

Activity: 2142
Merit: 1305


Limited in number. Limitless in potential.


View Profile
January 28, 2021, 05:23:05 PM
 #7

Punycode characters is really a thing when it's used in phishing websites url. But a normal user of trezor cannot be fooled for such a trick when asks for the 12 or 24 recovery seed.

I reported it on namecheap, they are much of help regarding phishing websites on their end, it will not take that long before it got shutdown.
The Cryptovator
Legendary
*
Offline Offline

Activity: 2184
Merit: 2165


Need PR/CMC & CG? TG @The_Cryptovator


View Profile WWW
January 28, 2021, 06:27:35 PM
 #8

I see, I thought it's impossible to use other characters for domain name except for English. But to check now I have to visit Namecheap and try to search domain with "ё" character. But seems there is an available domain. It was surprising to me since my thought was wrong. I must say, it is easy to way to divert newbies. Sometimes they would confuse and fall into the trap. Our minds always do not work well, and that's an advantage for scammers.

Anyway, who are capable to use a hardware wallet means at least he/she have a few basic knowledge such as scam (IMO). So, I don't think any existing user will handover their seed phrase there.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
passwordnow
Hero Member
*****
Offline Offline

Activity: 2884
Merit: 570


Leading Crypto Sports Betting & Casino Platform


View Profile
January 28, 2021, 08:25:30 PM
 #9

I've seen that character also with other reports which were also being used for phishing Binance users.

You can see the FAKE AD was listed on top of the OFFICIAL Trezor search result,
the address was just slightly different, they had trIezor
I searched for the same keyword through google but it seems to be taken down already.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
PhoenixZephyrus (OP)
Full Member
***
Offline Offline

Activity: 155
Merit: 102


View Profile
January 29, 2021, 03:32:26 AM
 #10

Anyway, who are capable to use a hardware wallet means at least he/she have a few basic knowledge such as scam (IMO). So, I don't think any existing user will handover their seed phrase there.

I've seen many inexperienced and new users come to this forum and ask about hardware wallets the first thing when it is clear that they are pretty new crypto, so yeah, there's still a decent chance someone could fall for something like this, although this is by no means a well-done attempt.
Husna QA
Legendary
*
Offline Offline

Activity: 2212
Merit: 2833


View Profile WWW
January 29, 2021, 04:39:17 AM
Last edit: May 18, 2023, 06:33:05 AM by Husna QA
 #11

You can see the FAKE AD was listed on top of the OFFICIAL Trezor search result,
the address was just slightly different, they had trIezor
Many phishing sites place advertisements on Google like that, not only those that resemble the Trezor site but also others such as Electrum (https://bitcointalk.org/index.php?topic=5090319.msg55799554#msg55799554).
To avoid the phishing website advertisement, I use an ad blocker (choose a trusted one). And it can be beneficial to minimize the appearance of phishing sites when using a search engine like Google.



Pmalek
Legendary
*
Offline Offline

Activity: 2702
Merit: 6996


Farewell, Leo. You will be missed!


View Profile
January 29, 2021, 09:46:03 AM
 #12

I am sorry to say but it is not required if your browser is up to date. The next thing you can do it download Firefox browser it comes with these anti
I haven't checked if all browsers have this setting automatically enabled and when they enabled it by default. But just to be safe, the network.IDN_show_punycode line in your about:config in Firefox should be set to True as wwzsocki explained in his thread.

HTTPS means secure in Google terms. It does mean a lot of you are making purchase or dealing with fiat. Please do not say it does not mean anything.
It doesn't mean as much as you believe it does. Yes, it means that that communication and information shared between your computer and a server is secure and can't be intercepted by a third party in an unencrypted form, but it doesn't mean that a website with a SSL certificate is safe, can't be a phishing site or can't host malware. It also doesn't mean that the person running the site can't abuse and misuse the data sent to it.

Believing you are safe when browsing a SSL protected site nowadays is wrong. Like I said, cheap SSL certificates can be bought for a few bucks. That means that hackers, phishers, and other abusers can purchase such certificates cheaply.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
PhoenixZephyrus (OP)
Full Member
***
Offline Offline

Activity: 155
Merit: 102


View Profile
January 29, 2021, 09:48:51 AM
 #13

HTTPS means secure in Google terms. It does mean a lot of you are making purchase or dealing with fiat. Please do not say it does not mean anything. It doesn't mean as much as you believe it does. Yes, it means that that communication and information shared between your computer and a server is secure and can't be intercepted by a third party in an unencrypted form, but it doesn't mean that a website with a SSL certificate is safe, can't be a phishing site or can't host malware. It also doesn't mean that the person running the site can't abuse and misuse the data sent to it.

Believing you are safe when browsing a SSL protected site nowadays is wrong. Like I said, cheap SSL certificates can be bought for a few bucks. That means that hackers, phishers, and other abusers can purchase such certificates cheaply.

Thats true, but I only said so as that should probably be the first thing one checks, and it is a pretty easy check for the beginners. That should be the first indication to look for when someone wants to know if its the wrong website. Sure SSL doesn't mean as much as it used to, but checking that first makes sense, as if that doesn't check out, don't waste time checking other stuff. Thats the first thing one should check if they stumbled upon this website.
aoluain
Legendary
*
Offline Offline

Activity: 2198
Merit: 1240



View Profile
January 29, 2021, 03:01:54 PM
 #14

I've seen that character also with other reports which were also being used for phishing Binance users.

You can see the FAKE AD was listed on top of the OFFICIAL Trezor search result,
the address was just slightly different, they had trIezor
I searched for the same keyword through google but it seems to be taken down already.

It was taken down within 24 hours, I reported it to Google and i'm sure I wasnt the only one!

Some good advice above, unfortunately not everyone is cognisant of security at all times
or aware of https. Newbies in particular can and are getting caught out unfortunately.

███████████████████████████████
███████████████████████████████
███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███████████
█████████████▀▀        ▀▀██████
██████▀▀▀▀▀▀              ▀████
██████████▀     ▄▄██▄▄     ▀███
██████████      ██████      ███
██████████▄     ▀▀██▀▀     ▄███
██████▄▄▄▄▄▄              ▄████
█████████████▄▄        ▄▄██████
███▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄███████████
███████████████████████████████
███████████████████████████████
.
|
▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
▄███▀▄▄███████▄▄▀███▄
▄██▀▄█▀▀▀█████▀▀▀█▄▀██▄
▄██▄██████▀████░███▄██▄
███░████████▀██░████░███
███░████░█▄████▀░████░███
███░████░███▄████████░███
▀██▄▀███░█████▄█████▀▄██▀
▀██▄▀█▄▄▄██████▄██▀▄██▀
▀███▄▀▀███████▀▀▄███▀
▀████▄▄▄▄▄▄▄████▀
▀▀███████▀▀
SSC NAPOLI
OFFICIAL EUROPEAN
BETTING PARTNER
|.ROLLBOTS.|
▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀█████▄
▄█████████▀████████▀████▄
██████▄▄▄█████▄▄█████████
█████████████████████████
██████▀▀▀█████▀▀█████████
▀█████████▄████████▄████▀
▀██▄▄▄▄▄▄▄▄▄▄▄▄▄▄█████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀
ROLLBIT COIN
TRADE RLB NOW!
|...PLAY NOW...
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!