Security alert
Ongoing phishing attacks on Trezor users
Trezor users have reported being targeted by a malicious phishing attack on April 3.
We are currently investigating how many customers might have been affected following an insider compromise of a newsletter database hosted on Mailchimp.
The Mailchimp security team disclosed that a malicious actor accessed an internal tool used by customer-facing teams for customer support and account administration. The bad actor gained access to this tool as a result of a successful social engineering attack on Mailchimp employees.
Contents
- What does the attack look like?
- What should you do if you clicked on the link?
- How to protect yourself from phishing attacks
- What is Trezor doing to protect user data?
- Should I be concerned about using my Trezor?
- How to tell if an email is a phishing attack
What does the attack look like?
When you click on the link in the phishing email you are directed to download a Trezor Suite lookalike app, that will ask you to connect your wallet and enter your seed. The seed is compromised once you enter it into the app, and your funds will then be immediately transferred to the attackers wallet.
This attack is exceptional in its sophistication and was clearly planned to a high level of detail. The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app.
For this attack to be successful, users had to install the malicious software on their devices, at which point their operating system should identify that the software comes from an unknown source. This warning should not be ignored, all official software is digitally signed by SatoshiLabs.
The phishing message containing the link to the malicious app states: “Trezor has experienced a security incident involving data belonging to 106.856 of our customers, […] If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet.”
“We immediately took steps to disable phishing sites and are taking further steps to stop the continuation of this phishing attack.” — Tomáš Sušánka, CTO of Trezor.
What should you do if you clicked on the link?
The only reason to worry about your funds is if you entered your seed into the malicious app. Your device can not be compromised or affected by this attack without explicitly typing your seed into your computer. Never enter your seed anywhere unless your Trezor device tells you to!
- If you entered your seed into the malicious app, immediately move your assets to a newly generated seed.
- If you have not received such an email, there is still a chance your email address has been leaked, so it is best to remain vigilant in case a new wave of emails appear.
- If you clicked on the link but didn’t enter your seed, your funds will not have been compromised, even if you downloaded the app.
Compromised email addresses may be targeted again in future so please report any new phishing attempts directly to security@trezor.io.
Your Trezor device has not been affected. Even if your seed is compromised by a phishing attack, you can continue to use the same device by wiping it and creating a new seed.
How to protect yourself from phishing attacks
Never enter your seed anywhere unless your Trezor device instructs you to with a message displayed on its screen.
Always check the URL of the page that you are on is suite.trezor.io or trezor.io. For more security, download Trezor Suite as a desktop app and only manage your Trezor there. Only download it from suite.trezor.io.
When subscribing to newsletters or purchasing sensitive goods, it is highly recommended that you use dedicated email addresses to protect your privacy.
Follow our social media accounts to stay informed of any security alerts or new developments.
Learn how to tell if an email is a phishing attack below.
What is Trezor doing to protect user data?
- Trezor customer order data is purged after 90 days. The data contained in this leak originates from a separate database secured by a third party.
- We are actively warning customers about the ongoing phishing attacks, having published warnings on our website and social media, and also within the Trezor Suite app. Please help us spread the word and minimize the harm these scammers cause.
- We have already taken down many of the malicious sites associated with today’s attack. The team is working around the clock to bring the phishing sites down as soon as possible.
Should I be concerned about using my Trezor?
No. None of these events have any direct impact on the security of your funds. The message today is the same as the day Trezor was created: do not enter your seed words anywhere unless your device tells you to.
The leak of email addresses is most harmful in the fact that the emails are now likely to receive increased phishing attempts. As long as you use your device correctly it should not affect you. Please follow best practices for data protection and use disposable email addresses for subscriptions or orders.
We are currently looking into a solution that will improve the security of our newsletters going forward, and we have suspended any email communication until we have more information about the attack.
How to tell if an email is a phishing attack
In the light of recent events, let’s try to look into how to recognize a phishing attempt.
Check the sender
Always check the sender before doing anything else. What you first see displayed in the email message may not be the sender who actually sent the email. Always look for details of the sender: on mobile devices, click on the sender to reveal the real address it was sent from, on computers click to show details of the message header. If you see anything other than exactly the email address you expect, it is likely to be fake. Trezor, for instance, always communicates from email addresses ending with @trezor.io or @satoshilabs.com.
Check the address on iOS Mail
- Tap on the email to display the message,
- Tap on Details,
- Tap on the name of the sender to display more details.
Check the address on Gmail
- Click little arrow next to the To field,
- A pop-up window will be displayed showing the sender’s full email address.
Check the address in Outlook or Thunderbird
When you open an email, look into the header of the email. You should see the display name along with the email address in brackets.
Check the links
Links within email messages can be masked. What you see on first glance is not always where the link will take you. Before opening any link, check where it leads. On a computer, hover your mouse cursor over the link to reveal its true destination. On a mobile device, press and hold the link to see where it leads. Again, in case of Trezor, it should only lead you to a URL ending with .trezor.io or .satoshilabs.com.
Check the language
Phishing emails are often poorly written. If you see any language errors — misspelled words, grammar errors, unusual word order, etc., you should be very cautious about interacting with the content of the email.
Is there a sense of urgency?
Phishing emails usually present themselves as urgent. They may warn that your access to a service will be blocked access, that there has been a security breach, or that some other critical event needs your attention. If an email contains an urgent warning, verify such information on official channels run by the sender. Attackers try to create a matter of urgency in order to trick users into performing actions they would not otherwise do. Verify before you act.
Always check before opening attachments or downloading software
Does the email contain an attachment or lead you to download software? If the email fails the checks above, you should not open any attachments or download any software. Always download software through official channels only, and verify its digital signatures against those provided by its author.
