QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
JULY 2018
GLOBAL
TREZOR
DESCRIPTION OF EVENTS
"The safe place for your coins." "Store your coins with Trezor." "Hardware wallet is the safest way to manage & trade your cryptocurrencies."
"In [BGP hijacking or DNS Poisoning] scams, hackers are able to redirect users away from the website even if the correct website was entered into the web browser. Trezor users had fallen prey to this scam."
"PSA: Phishing. We have encountered a clone of Trezor Wallet, tricking users to divulge their recovery seed. Always check for a valid https connection while using http://wallet.trezor.io." "The device itself can be trusted; make sure to verify all actions on the Trezor screen."
"Between June 30 and July 1, 2018, Trezor’s support team began to investigate the cause of alerts it had received regarding an invalid SSL certificate for the company’s website. Further investigation revealed a phishing campaign being perpetrated against the Trezor customer base."
"Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users."
"The Trezor team says "signs point toward DNS poisoning or BGP hijacking" as the means attackers hijacked legitimate traffic meant for the official wallet.trezor.io domain but redirected these users to a malicious server hosting a fake website. An investigation is still underway to determine the exact cause." "Bookmark in this case isn't enough. Seems like DNS poisoning attack. Checking for valid cert helps though." "The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking."
"In the image above, the address bar shows the correct address ie. wallet.trezor.io. But, an inspection of the site revealed several critical errors." "One, the website’s certificate was not trusted as shown by the “Not secure” words in the address bar." "They exploited the expiry: That's what I looked at and thought 'ok the certificate is just expired and that happens'. I was fully conned and I know a lot about this stuff." "First of all, look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)"
"Hijacked Trezor website requesting for seed." "[T]he fake website was asking users to enter a copy of their "recovery seed," something the Trezor team said would never do." "Upon accessing the web, the fake Wallet displayed an alert about device memory damage, asking users to restore their recovery seed. This was the second red flag, as the sentence contained errors."
"The third red flag was the method of recovery (seed check) — the fake site forced users to enter both the order number as well as the seed word into the computer."
"Trezor says the manuals of its two types of Trezor wallets —One and Model T— clearly state that users should never enter the recovery seed anywhere but the Trezor device, and never on a computer (app or website regardless)." "Trezor One: You should never enter your recovery seed on a computer, along with the order number. The order is always given to you by your Trezor device. Never by the computer." "Trezor Model T: You should never enter your recovery seed anywhere but on your Trezor device. Under no circumstances should you enter your seed on a computer."
"[A]lways verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism."
"[N]ever divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Trezor Wallet will never ask you for your recovery seed. Only your Trezor device may, but it will do so securely."
"We would like to thank everyone for their cooperation while we investigate this issue further. Special thanks go to our users, who reported this immediately. We will continue to do our best to figure out the cause and make sure to minimize the impact on you."
"Some users found themselves unsure if emails from Trezor warning of the scam were legitimate, and not just another phishing attempt following the attack."
"The Trezor team said it was able to take down the malicious site after contacting its hosting provider and having it taken down." "At this moment, the fake Wallet has been taken down by the hosting provider. However, you should remain vigilant and report all suspicious sites. It is possible that this attack method will be used repeatedly in the future."
Trezor is a leading hardware wallet manufacturer. The Trezor website fell victim to a DNS poisoning or BGP hijacking attack, which caused vicitors to be redirected to an attacker website, which prompted them to enter their recovery seed phrase. Entering the phrase allowed the attacker to steal their funds. It's unclear how much was lost. The malicious site was eventually taken down and the original site restored.
HOW COULD THIS HAVE BEEN PREVENTED?
In general, all hardware wallets are designed so that the seed phrase is only ever entered onto the device itself, and never into any computer interface. You should never be asked to enter the device on your computer anywhere.
Nasty Ledger wallet scams. And how to avoid them. - Who Took My Crypto (Mar 20)
@Trezor Twitter (Mar 27)
@banthebbc Twitter (Mar 27)
https://blog.trezor.io/psa-phishing-alert-fake-trezor-wallet-website-3bcfdfc3eced (Mar 27)
DNS Poisoning or BGP Hijacking Suspected Behind Trezor Wallet Phishing Incident (Mar 27)
[PSA] Phishing Alert: Fake Trezor Wallet website : TREZOR (Mar 27)
Dns Scam Redirects Trezor Users To Cryptocurrency Phishing Site (Mar 27)
https://trezor.io/ (Feb 20)
https://trezor.io/security/ (Feb 20)
