It would not make sense if the device itself prompted him to visit a fake website, I don't know how the attacker would mess with the device itself that way... What are the chances he bought a counterfeit Ledger or the Ledger box as altered so we would visit the fake website after going through the setup.
If we are going to believe his unbelievable story, then the chances of him having bought a fake device are 100%. A legit Ledger HW does not communicate with you and tell you what software to install and which websites to visit. It doesn't tell you there is a new app update, LL update, or firmware update. You check that yourself.
A ledger with 3rd-party firmware can't connect to the official Ledger Live app servers. So, he couldn't have passed the onboarding process, installed the crypto apps, generated the seed, etc. The other possibility is that he used a genuine device with fake firmware and with a fake Ledger Live app. Of course, we can't rule out that the whole story is just a big lie.