Security remains one of the biggest barriers to widespread adoption of crypto. Within the broader scope of security, credential and private key phishing stands out as one of the most important security issues to combat. Some of the most common advice we and other security teams give to end users is to encourage the use of hardware wallets. The private key never leaves the device, meaning you don’t have a private key that can get phished — right?
Wrong! Hardware wallets make it more difficult for attackers to phish you, but here’s how they’re currently doing it. Take a look at a new phishing kit that has been targeting users of Trezor hardware wallets.
The first stage is getting sent a phishing link. This could have been through any medium, but in the crypto space they popular options include Telegram, Email, Twitter, Discord, or Reddit.
If you click on the link, you’ll get taken to this page:
This is a near perfect clone of the standard Trezor onboarding process.
The scammers in this case have included the same warnings that Trezor show you to ensure that your device has not been tampered with. By default, Trezor ships with holographic tamper evident seals on their packaging that let the end user know whether the device has been opened in transit to the user.
Including safety information like this in a phishing site is a common strategy used by attackers to lull the end user into a false sense of security. Next, the screen below is shown, which includes instructions to “Connect your Trezor to continue”.
The phishing kit has a built in delay that triggers the final stage, whether or not you connect your Trezor device.
Now that you’ve walked the journey through the attackers phishing website, the final part of the process begins.
A popup box appears notifying you of a “Hardware Error” that requires you to enter your 12 word recovery seed to restore your wallet. Of course, if you do so, your recovery seed is sent off to the attackers server and your crypto will be swept out of your wallet in a matter of minutes.
Are hardware wallets a bad idea? Absolutely not. Using a hardware wallet is one of the safest ways to store your funds currently. In fact, we highly encourage anyone reading this that is hodling any crypto to get one. However, remember that you’re not immune to the biggest security risk in the crypto industry right now — phishing. Here are our top tips on staying safe online:
Here to fight phishing in the crypto space. Find us at phishfort.com and on Twitter @phishfort.