Ledger phishing attacks: from clones to malware
Background
Following the news of the latest hack targeting the Ledger database and the leak of millions of emails, phishing attacks have rapidly increased. The leaked data does not contain any financial information according to Ledger, but emails and personal information are already being used in targeted phishing campaigns, as we can see from the banner on their website.
Ledger has also started a counter-campaign to take down phishing websites called #StopTheSpammers. More details are available here:
Ongoing phishing campaigns | Ledger
The phishing attacks
We have been tracking the presence of Ledger leaked data online in the last few days and most of the published archives have been proactively removed, while some are still available for download as shown from the paste below dated Dec 20th, 2020 (links have been cropped).
Three days after the leak, we already detected many domains created to carry out phishing attacks, using different techniques including typo-squatted domains. We started actively investigating a few of the many domains.
ledger[.]com-login-authorization[.]appledger[.]com[.]login-verification[.]apphttp://xn--ldr-krab5e[.]com/https://xn--legde-9bb[.]com/ledger-live/download/
The phishing attacks that have been submitted to use starts with a text email that contains the following text (URL have been sanitized)
From: Ledger Alerts <noreply@ledger.com-ez29-server-33-secure.az26-s8-smtp.cloud>Date: Wed, 23 Dec 2020 at 01:32Subject: XG ZAAY2To: <.....>Your Wallet has been blocked.You are required to verify your identity:https://docs.google.com/document/d/e/2PACX-1vTlnW_iGFZ5IXXXXXXXXXXXXXXXXXXXXXXXXuuzJQMuPhseCByGZG2nS2CZuBLkb6dxPpBuyd/pub?embedded=trueLedger Support Team.6G3L-Q3QP0Q78LQ PL6649
Once the user clicks on the Google doc link, Google shows the classic redirect message, with the wrong text/address (ledger.com) as shown below:
but actually, the victim will be redirected to the actual phishing website:
https://www.google.com/url?q=https://ledger.com-login-authorization.app/settings/&sa=D&ust=1608803119201000&usg=AOvVaw3Mu9BPS20wCa2Hof32NeWEThe first screen invites the user to choose his Ledger Nano model
Continue reading at https://1337.dcodx.com/blog/ledger-database-hack-facilitates-spear-phishing-attacks
