Hardware wallets might promise security but the human factor remains a vulnerability. Popular hardware wallet manufacturer Trezor has recently cautioned its users of a sophisticated phishing attack targeting its customers.
Users who received an “Assets undergoing upgrade” email on January 24th could have had their funds stolen if they followed the link it contained.
???? Security Alert ????
We've detected an unauthorized email impersonating Trezor sent from a third-party email provider we use.
If you received a suspicious email with the subject line 'Assets undergoing upgrade' from the ID: noreply@trezor.io, please do not click any links or… pic.twitter.com/RqQnQkB4hX
— Trezor (@Trezor) January 24, 2024
This incident comes just days after unauthorized access to Trezor’s customer support database. While investigations continue, the Trezor is yet to determine if the attacks are linked. For now, the company has actively warned its customers about the incident and stressed they safeguard their recovery phrases and delete unsolicited emails to protect against fraud.
A Different Kind of Phishing Attack
Phishing emails are received by billions of people every day, with an estimated 3.4 billion such emails being sent every day. More often than not, these emails are sent from email addresses trying to be as similar to the original to not raise suspicion. In this case, however, the use of an official address would have given most users a sense of security strong enough to click the link.
The emails were sent from Trezor’s official email address noreply@trezor.io as a result of a compromised third-party email provider. If the links in the email were clicked, users would be taken to a fake Trezor website where they were to share their seed phrases.
Trezor believes that an “unauthorized individual” gained access to the company’s database that contained the email addresses of its newsletter subscribers. This information was later used to send all of the Phishing emails to all subscribers. Users who were not subscribed to Trezor’s newsletter were not affected.
What Was Trezor’s Response?
Trezor is still to share more information on how the attack happened, with the only available information being a blog post and Tweet informing users about the incident. The company was also able to “swiftly” deactivate the malicious link, remove access to unauthorized users, and secure the newsletter database in an attempt to limit the reach of the threat.
While the investigation is still ongoing, Trezor was able to figure out that “only” the third-party service used to deliver newsletter email communications and newsletter database were compromised. The company has also warned its users of the need to transfer all funds immediately if they had entered their recovery seed in any form.
For those users who received the email but didn’t engage with it, Trezor said “No further action is required”. All users were also warned of the need to remain alert for potential phishing attacks, independently of the result of this attack.
More Than an Isolated Incident
The phishing attack on January 24th was not an isolated incident for Trezor. The company has been dealing with cybersecurity threats for years, with the latest before this incident having taken place on January 17th.
The January 17th attack saw Trezor’s third-party support ticketing portal accessed by an unauthorized individual. This attack compromised over 66k users who interacted with Trezor’s customer support since December 2021. The information obtained by the attackers potentially included ”contact details, limited to email and name/nickname.”
While both attacks differed, Trezo believes that the company could be the target of “skilled hackers on a larger scale” at this time. As no conclusion can be made until now, the company says it is closely monitoring both incidents and working to enhance its security.
Until more information is known, hardware wallets should remain wary of any emails, calls, SMSs, or websites asking them to provide personal information. While hardware wallets like Trezor and Ledger remain excellent options in terms of security, social engineering remains a threat.