Users of Trezor cryptocurrency wallets were targeted by an elaborate phishing scam last week. Attackers employed a trusted email address source by compromising an opt-in marketing newsletter hosted at MailChimp. Trezor announced on Twitter that MailChimp was allegedly compromised by “an insider targeting crypto companies.” MailChimp has not yet commented on the incident.
The phishing attack was crafted to be a fake security notification of a data breach at Trezor. The phishing lure contained a link to reset credentials, which loads a website that appeared to be associated with the Trezor.io domain due to the use of homographs. Once a user clicked on the link, they were redirected to a cloned Trezor site and application that was identical due to open-source sharing of Trezor’s source code. Users were prompted to enter their credentials, which were then immediately stolen and used for theft of assets from the Trezor platform.