Crypto hardware wallet Trezor has officially confirmed that its mailing list has been compromised by an insider targeting some of its users in what looks like a phishing attack. In the early hours of 3rd April, Trezor send out a tweet informing that it was investigating “a potential data breach of an opt-in newsletter hosted on MailChimp” and issued a warning against opening emails from “noreply@trezor.us”.
In successive tweets, the wallet firm said that it has managed to take down the phishing website and is trying to determine how many email addresses have been affected. The firm went on to add that will not be communicating by newsletter until the situation is resolved.
How did the attack start?
The phishing attack began with the Trezor hardware wallet owners receiving fake security incident emails pretending to be a data breach notification. These fake data breach emails say that the company does not know the extent of the breach and asked owners to download the latest app to set up a new PIN on their hardware wallet.
The email very convincingly included a ‘Download Latest Version’ button that directs users to a phishing site appearing in the browser as suite.trezor.com. It should be noted that the legitimate website is trezor.io.
Once its owners connect their device to the fake Trezor Suite app, it will trick them to enter their 12 to 24-word recovery phrase, which is sent back to the threat actors. As attackers get hold of the recovery phase, they can use them to steal victims’ cryptocurrency assets.
Trezor then retweeted an early post where one of its experts wrote a detailed blog on improving security.
Trezor’s guidelines against phishing attacks
As per the post, Phishing messages are intended to target the recipient to perform a certain action to make it seem as if they wanted to help resolve a terrible problem that occurred. Once the instructions are followed, it usually involves revealing one’s credentials directly to the attacker, who then easily drains funds from the targeted financial accounts.
The post then asked users to avoid such messages. “If in doubt about whether it’s real or not, contact the sender directly on contact using information you already have or that is available online. Never use contact information contained within the email,” it added.