Users of Trezor cryptocurrency wallets were targeted by an elaborate phishing scam last week. Attackers employed a trusted email address source by compromising an opt-in marketing newsletter hosted at MailChimp. Trezor announced on Twitter that MailChimp was allegedly compromised by “an insider targeting crypto companies.” MailChimp has not yet commented on the incident.
The phishing attack was crafted to be a fake security notification of a data breach at Trezor. The phishing lure contained a link to reset credentials, which loads a website that appeared to be associated with the Trezor.io domain due to the use of homographs. Once a user clicked on the link, they were redirected to a cloned Trezor site and application that was identical due to open-source sharing of Trezor’s source code. Users were prompted to enter their credentials, which were then immediately stolen and used for theft of assets from the Trezor platform.
Analyst Notes
The use of homographs remains a dangerous technique employed in phishing and other social engineering attacks. For example, a Cyrillic “a” character looks similar to the Latin alphabet “a” but has a different underlying Unicode representation. Organizations can detect and alert on the use of such characters in domain names and email urls in order to prevent these attacks. Moreover, recommending that users always navigate to the true website via their own saved bookmarks or search engine results would create a more secure customer interaction process, relative to users trusting links sent via email.
https://www.bleepingcomputer.com/news/security/fake-trezor-data-breach-emails-used-to-steal-cryptocurrency-wallets/#.YknFy3c_rAk.twitter
https://www.bleepingcomputer.com/news/security/fake-data-breach-alerts-used-to-steal-ledger-cryptocurrency-wallets/
