Trezor, the multi-cryptocurrency wallet service, has announced it has been targeted in a phishing campaign that has seen some users of its service redirected to a malicious website in an attempt to obtain their credentials.
Trezor became aware of the phishing campaign when the company started to receive complaints from its users about an invalid Secure Sockets Layer (SSL) certificate on the site.
Users who were directed to the fake Trezor site were warned about memory damage with the message, “Error details: Your Trezor data damage! Please, recover seed to restore data.” The lack of a valid SSL certificate was a red flag, as was the use of incorrect wording and poor grammar. However, apart from the lack of a valid SSL certificate, the site appeared genuine with the correct domain displayed in the address bar.
If users failed to identify the first two red flags, the third should have confirmed that the site was not genuine. Users were asked to enter their order number and recovery seed. Trezor explained that the recovery seed should never be entered on a computer along with the order number. The seed should only be entered on a Trezor hardware device. If the seed is obtained, it would allow an attacker to take control of a Trezor wallet.
Trezor has suggested this was either a DNS poisoning attack or a case of BGP hijacking. A DNS poisoning attack exploits vulnerabilities in the DNS protocol that allows traffic to the official site to be directed to a malicious site. BGP hijacking , or prefix hacking, is a takeover of groups of IP addresses achieved by corrupting Internet routing tables via the Border Gateway Protocol.
At present, the exact method of attack is unknown and it is still being investigated. Trezor was able to contact the hosting provider used by the attacker and the fake website has now been taken down.