Our early warning systems recently detected trustwället[.]com, an obvious phishing clone of the popular Trust Wallet app, hosted at trustwallet.com.
After a recent spate of mobile phishing apps, our first suspicion was that one of the mobile apps being linked to on the website was backdoored — most likely the direct link to the Android APK download. However, after inspecting each of the links, we realized that all of the links were in fact legitimate.
With such an obvious lookalike, where most of the content was accurately cloned, and legitimate backlinks were being used for social media accounts, it was clear that something else must be going on behind the scenes. After exploring the website some more, we came across the “Recovery” functionality.
This feature supposedly allowed users to recover funds lost through the Trust Wallet app. The process entailed selecting the currencies that the user would like to recover:
The user was then prompted to enter their email, as well as their private key or mnemonic phrase.
This private data was promptly sent off to their server, and the attacker would have all the data necessary in order to steal any funds associated with that private data.
This is a harsh reminder that attacks are constantly evolving. Despite being a mobile app, the Trust Wallet app was being targeted through a website that was phishing user’s credentials to the app.
Warning: this website is currently live. Do not attempt to visit or interact with it for your own safety.
Fighting phishing in the crypto space. Find us at phishfort.com and on Twitter @phishfort.