Scammers are mailing fraudulent replacement devices to Ledger customers who were recently exposed in a data breach, which are being used to steal cryptocurrency wallets.
With increased cryptocurrency values and the use of hardware wallets to secure crypto funds, Ledger has become a frequent target for scammers.
After receiving what appears to be a Ledger Nano X device in the mail, a Ledger user published a devious fraud on Reddit. The gadget arrived in authentic-looking packaging with a sloppy letter claiming that it was sent to replace their existing device as their customer information had been leaked online on the RaidForum hacker community.
"For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device," state the fake letter from Ledger.
"For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again."
Despite the fact that the letter contained numerous grammatical and spelling issues, the information for 272,853 persons who purchased a Ledger device was published on the RaidForums hacking site in December 2020. This provided a slightly convincing reason for the new device's arrival.
A shrinkwrapped Ledger Nano X box was also included in the package, containing what appeared to be a genuine device. After becoming skeptical of the device, they opened it and posted photos of the printed circuit board on Reddit, which clearly indicated the modification of devices.
Mike Grover, a security researcher, and offensive USB cable/implant expert informed BleepingComputer that the threat actors added a flash drive and hooked it to the USB port based on the photos.
Grover told BleepingComputer in a conversation about the photographs, "This appears to be a simple flash drive slapped on to the Ledger with the purpose of being for some form of malware delivery."
"All of the components are on the other side, so I can't confirm if it is JUST a storage device, but.... judging by the very novice soldering work, it's probably just an off-the-shelf mini flash drive removed from its casing."
As per the image examining, Grover highlighted the flash drive implant connected to the wires while stating, "Those 4 wires piggyback the same connections for the USB port of the Ledger."
According to the enclosed instructions, it instructs people to connect the Ledger to their computer, open the drive that appears, and execute the accompanying application. The person then enters their Ledger recovery phrase to import their wallet to the new device, according to the guidelines.
A recovery phrase is a human-readable seed that is used to produce a wallet's private key. Anyone with this recovery phrase can import a wallet and gain access to the cryptocurrency contained within it.
After entering the recovery phrase, it is sent to the attackers, who use it to import the victim's wallet on their own devices to steal the contained cryptocurrency funds.
This fraud is acknowledged by Ledger and they issued warnings about it in May on their dedicated phishing website.
Recovery phrases for Ledger devices should never be shared with anybody and should only be input directly on the Ledger device the user is trying to recover. The user should only use the Ledger Live application downloaded straight from Ledger.com if the device does not allow to enter the phrase directly.
Ledger customers flooded with scams:
In June 2020, an unauthorized person gained access to Ledger's e-commerce and marketing databases, resulting in a data breach.
This information was "used to send order confirmations and promotional mailings — largely email addresses, but with a subset that also included contact and order details including first and last name, postal address, email address, and phone number."
Ledger owners began getting several of the phishing emails directing them to fraudulent Ledger apps that would fool them into inputting their wallet's recovery codes. After the contact information for 270K Ledger owners was disclosed on the RaidForums hacker community in December, these scams became more common.
The leak resulted in phishing operations posing as new Ledger data breach notifications, SMS phishing texts, and software upgrades on sites imitating Ledger.com.
