Trezor Hardware Wallet Users Warned About Phishing Campaign
Hardware wallet titans Trezor sounded the alarm for their users today, July 1st, after they discovered a “clone of Trezor Wallet, tricking users to divulge their recovery seed.” The wallet makers have since published a blog post detailing the attack and how to avoid falling prey to such phishing attempts, but some users have unfortunately already reported having their crypto holdings sweeped by the phishers. It’s another reminder that vigilance is ever needed in the cryptoverse.
Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts
Trezor: ‘Verify All Actions on the … Screen’
Trezor, makers of the popular Trezor One and Trezor T hardware wallets, warned their users today about a new phishing campgain involving a “clone” wallet that had been used to steal funds.
PSA: Phishing. We have encountered a clone of Trezor Wallet, tricking users to divulge their recovery seed. Always check for a valid https connection while using https://t.co/rTfKn8bzIL.
The device itself can be trusted; make sure to verify all actions on the Trezor screen. pic.twitter.com/or8Lw6M265
— TREZOR (@TREZOR) July 1, 2018
The company first tweeted about the con, telling users to “Always check for a valid https connection” while using the wallet’s bridge site and to “verify all actions on the Trezor screen” — in other words, everything might look kosher online, but a double-check of the recipient address during a transaction will reveal if your transaction is maliciously being diverted to a wallet that’s not your own.
Hours later, the company followed up with a more in-depth blog post entitled “[PSA] Phishing Alert: Fake Trezor Wallet website.” In the post, the wallet makers explained that “DNS poisoning” or “BGP hijacking” were likely afoot:
“Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.
The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.”
As the company’s post progressed, they noted the other red flags that betrayed the at-hand con’s true nature:
“Upon accessing the web, the fake Wallet displayed an alert, asking the user to restore their recovery seed, due to memory damage. This was the second red flag, as the language used was incorrect.
[…] The third red flag was the method of recovery (seed check) — the fake site forces the user to enter both the order number as well as the seed word into the computer.”
In bringing up these sketchy factors, Trezor reiterated their previously published warnings to “never enter your recovery seed on a computer” for either of their wallet models. Any solicitation otherwise is to be treated as a bold-faced theft attempt.
Ensuring You’re at the Right Place
To safely access the Trezor’s bridge site, the wallet maker’s team stressed in their follow-up post to check the browser’s address bar:
“[…] look for the ‘Secure’ sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)”
The wallet makers also noted the con in question had been “taken down by the hosting provider,” but the company asked that users continue to “report all suspicious sites”:
“At this moment, the fake Wallet has been taken down by the hosting provider. However, you should remain vigilant and report all suspicious sites. It is possible that this attack method will be used repeatedly in the future.”
For some, though, the take-down apparently came too late as funds have already allegedly been compromised. It’s yet another reminder that in the fledgling cryptoverse, users have to remain disciplined and vigilant to protect their holdings. This “Wild West” dynamic will surely give way as the space matures, but for now, the naive remain particularly vulnerable.
What’s your take? Do you verify all your transactions aboard your hardware wallet, or have you gotten careless yourself before? Sound off in the comments below.
Images via Trezor, TechWalls