The hardware wallet maker Trezor is now alerting all of its users about a new, deceptive phishing campaign. This campaign cleverly abuses the company’s own automated support system to send out legitimate-looking but malicious emails. The emails are sent from the official platform, which makes them appear authentic and trustworthy to the recipients. Attackers are exploiting this system to try and trick users into visiting phishing sites to steal their assets.
The company’s online support site allows anyone to open a support ticket using any email address they want.
The system then automatically replies with a case number, using the submitted ticket title as the email subject. Attackers abuse this feature by submitting tickets with titles that contain urgent and alarming phishing messages. Since the reply comes from a legitimate Trezor email address, it appears authentic but contains a fake alert.
Users who were tricked into visiting the fake domain on their web browsers were taken to a phishing page. This malicious page then immediately prompted them to enter their secret and highly sensitive wallet recovery seed phrase. Anyone who has another user’s seed phrase can easily restore their wallet on a completely different device.
This gives the attacker full and complete access to all of the user’s valuable cryptocurrency and other assets.
This is not the first time that Trezor’s support system was abused or targeted to perform supply chain attacks. In April 2022, the email marketing firm MailChimp suffered a breach that was leveraged to send phishing emails. Then, in January 2024, Trezor’s support site suffered a data breach caused by unauthorized access to its portal. That incident exposed the sensitive information of roughly sixty-six thousand Trezor users who had interacted with support.
Reference:
