- New email phishing scam posing as Ledger detected
- The emails claim that the user's Ledger wallet seed phrase was compromised and ask for confirmation.
- Users who provide the seed phrase lose all their money.
Criminals are trying to steal cryptocurrency by posing as hardware wallet company Ledger and sending phishing emails.
Victims reported receiving emails purporting to be from Ledger and claiming that their seed phrase (also known as a recovery phrase or mnemonic seed) is compromised. To protect their digital belongings, victims are invited to “verify the security” of the recovery phrase through the “secure verification tool.”
The email comes with a “Verify my recovery phrase” button that takes people through an AWS website to a “ledger-recovery” domain.[.]info”. There, users can enter their recovery phrase, which is then saved on a server and transmitted to attackers.
Provide the correct data
A recovery phrase is used to load the contents of a cryptocurrency wallet to a new device or a new software wallet. It usually comes as a series of 12 or 24 random words. Whoever has access to this phrase also has access to the funds, so it is absolutely essential that these remain offline, hidden and not shared with anyone.
To make sure they get the real deal, scammers added several safeguards to the phishing page. The site is limited to 2,048 valid words that can be entered as part of the initial mnemonic phrase. Additionally, regardless of what the user enters, they will receive the response that the seed phrase is incorrect, which will likely allow victims to duplicate their entries and thus confirm that they have provided the correct information.
Phishing emails typically had poor grammar and spelling and could usually be identified by clumsy, amateurish writing. However, with the introduction of generative AI, that is no longer the case. In this case, however, the clue was in the email address, as it came from the email marketing platform SendGrid. Additionally, the link redirects through an Amazon AWS website, which should also be a red flag.
It's impossible to know how many people (if any) fell for it, but those who did lost their money permanently.
Through beepcomputer
