Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:


DNS Poisoning or BGP Hijacking Suspected Behind Trezor Wallet …

Post a Fraud Alert:

The team behind the Trezor multi-cryptocurrency wallet service has discovered a phishing attack against some of its users that took place over the weekend.

The Trezor team says “signs point toward DNS poisoning or BGP hijacking” as the means attackers hijacked legitimate traffic meant for the official wallet.trezor.io domain but redirected these users to a malicious server hosting a fake website. An investigation is still underway to determine the exact cause.

Incident spotted after HTTPS certificate error

The incident came to light after users complained that they encountered an invalid HTTPS certificate when landing on Trezor’s web wallet portal.

An invalid certificate usually means that the website on which users landed was not the actual portal, but someone posing as the Trezor website, which could not cryptographically verify itself as the real website.

This error alerted the Trezor community, whose members quickly reported the incident to the Trezor team, who later confirmed the phishing attempt and warned users about the attack on early Sunday morning (US timezones).

Fake website had other problems

The Trezor team said they determined this was a legitimatee phishing attack and not just random SSL server error (which tend to happen some of the time) because they spotted two problems with the fake website.

The first was an error message that was worded differently from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.

Fake Trezor website

Second, the fake website was asking users to enter a copy of their “recovery seed,” something the Trezor team said would never do.

Trezor says the manuals of its two types of Trezor wallets —One and Model T— clearly state that users should never enter the recovery seed anywhere but the Trezor device, and never on a computer (app or website regardless).

This immediately gave the website away as a phishing attempt to recover recovery seeds, which are codes that can allow an attacker to take over Trezor accounts.

The Trezor team said it was able to take down the malicious site after contacting its hosting provider and having it taken down.

It is too early to determine or estimate if the attacker stole user funds or the number of stolen funds.

In April 2018, a hacker (hacker group) hijacked a crucial Amazon BGP route to perform a similar phishing attack, but on the domain of MyEtherWallet.com, a web-based Ether wallet app.

Related Articles:

Clipboard Hijacker Targeting Bitcoin Ethereum Users Infects Over 300,0000 PCs

Hackers Stole Over $20 Million From Misconfigured Ethereum Clients

Bitcoin Wallet App Caught Stealing Seed Keys

Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses

All-Radio 4.27 Portable Can’t Be Removed? Then Your PC is Severely Infected

Article source: https://www.bleepingcomputer.com/news/security/dns-poisoning-or-bgp-hijacking-suspected-behind-trezor-wallet-phishing-incident/