Anatomy of a Phishing Attack

11/10/2020 | Blog posts

Since October 19th, our clients have been targeted by aggressive and elaborate phishing attacks through emailing and text message campaigns. Our team is working diligently to stop the scammers and restore faith within the community. Here is a description of the attack.

1. Malicious email or text message

First, the attacked consumer receives either an email or a text message. The sending address impersonates Ledger to make the consumer believe it comes from us, which is of course not the case. This, in the legal world is called a trademark infringement and, in most countries, it is a criminal offence.

The attacker’s goal is to make the victim click on a link to a malicious website with a hostname close to the legit domains of Ledger. The message often sounds scary and urgent in order to increase the victim odds to click on the link, while the information is fake most of the time.

As an example, here is a list of malicious hostnames registered by attackers:

2. Malicious website or application

Once the victim clicks on the link, the malicious website is opened in her web browser. The website might be indistinguishable from the Ledger website. The attackers want to steal the recovery phrase (ie. the 24 words) from the victim and generally use 2 ways to achieve this goal. A form is either directly displayed on the website persuading the victim to enter her seed, or a link to a fake Ledger Live application is offered. 

See for example the illegal website asking the victim to enter his recovery seed:

This one asks the victim to enter her recovery phrase after displaying 2 fakes step about device initialization:

In another phishing campagin, victims were tricked to open the link http://malicious-domain.com/download.php (the hostname is modified in this blogpost to prevent users from browsing this website). A download link is displayed to the victim:  http://malicious-domain [.] com/files/ledger-live-desktop-2.2.5-win.exe. This fake Ledger Live application is actually a malware which will also persuade the victim to eventually enter her seed through a “recovery” step. 

The analysis of this malware shows that once the victim enters its seed, passphrase and PIN, they are sent to the attacker’s server:

3. Recovery phrase theft

Once the victim enters his recovery phrase, it is sent on the Internet to the attacker. This recovery phrase might be sent to a server different from the one hosting the malicious website and the attacker often gets notified that a new recovery phrase was stolen, through Telegram or by email.

4. Assets theft

As soon as the victim has disclosed its 24 words, the scammer has instantaneous access to the private keys and can perform a “send” action to his own address. The funds are gone. 

As a conclusion, one can understand that you should never share the 24 words with anyone! Even if it seems to be us, because Ledger would NEVER ask for it. 

On a pragmatic side, Ledger tries to render the access to the website impossible. So that, at least, if a victim falls for the scam and clicks on the link, the website displayed by the web browser will be unavailable.

There are numerous intermediaries in the internet world: browsers, registrars, registries, DNS…. All of them play a role and can help.

In the present file, Ledger is 24/7 asking for their help to disable the access to the illegal websites and is sometimes successful: 

This one is one of the most tricky web domain names with only a small dot below the “e”…

Relentlessly we are after them, based on two grounds: 

Because it all comes down to this: victims think it is Ledger and it is not Ledger. 

The scammers use this confusion to steal the funds of the victims. 

It takes three clicks to create a domain, it takes at least 24 hours to close it. And when we say 24 hours, this is when we are lucky and we are dealing with compliant registrars. Some illegal websites have been up for days

So you may wonder: wouldn’t you go and see the scammers directly as they have registered the said websites? We wish we could! 

But look up what we see when we try to see who is hiding:

Registrant (i.e. owner of the domain name) is …..Whoisguard. “WhoisGuard is a privacy protection service that prevents people from seeing your name, address, phone number and email when they do a Whois search on your domain.” 

Oh lord, are they allowed to hide like this? Well yes. We can get the identification of the registrant by launching a subpoena and asking the court to issue an order to ask the registrar to disclose the identity. It will take some time, and in the meantime, the scammers will have registered 10 other websites…

But let’s see the glass half full: We still can ask the browser, the registrar, the hosting provider to suspend the illegal websites and we have procedures in place for this. 

Safe browsing is a feature available on major web browsers (such as Google Chrome, Mozilla Firefox and Safari) that warns you when you are about to visit a dangerous site known for malware, phishing and downloading unwanted software on your device. When you click a link, the link is checked against lists of reported phishing, unwanted software, and malware sites. If the site is identified as an attack site, the web browser will warn you against visiting it.

Users can manually report a phishing website through this form and malicious software through this one. Google Chrome users can also use this extension called Suspicious Site Reporter to report a malicious website in a single click.

For example to report a phishing website is easy through Google Safebrowsing

We are doing all this, relentlessly, notifying non compliant registrar that this is of crucial importance. They do not monitor proactively, fine (even if not fine in fact): but they should be reactive when notified. 

This is not always the case.

Phishing scams are one of the critical problems in cybercrime. The Ledger community will be better protected if we all work together.

When you find a scam, report it to the community: #StopTheScammers