Security

Beware of well executed Ledger phishing email

Cracklord

2 min read
Beware of well executed Ledger phishing email

Today I received an email that appears as though it's from Ledger. The header claims "IMPORTANT: Ledger Nano S and Ledger Nano X SECURE RNG CHIP CRITICAL VULNERABILITY". This however, is not true.

The email claims that a small batch of Ledgers have a compromised secure enclave chip and that you can download a tool to check if your Ledger was from this bad batch. Unfortunately, this tool is malware and it seems as though the purpose is to try and get your wallet's seed.

This email is far more convincing than the average crypto scam email. The email comes from "supportledger.com" and it has full SPF/DKIM verification for that domain, meaning most email services won't throw it into your junk/spam folder. If you browse to that website, it redirects to the official Ledger support website (which makes no mention of such a vulnerability under announcements, how strange). The domain however is not owned or part of Ledger at all and thus fully authenticating the domain to send emails is not difficult.

In addition, the text makes a rather compelling claim, one that is actually somewhat believable. It reads; "Inside Ledger hardware wallet, we use the Secure Element chip to generate and store the private keys for your crypto assets. Unfortunately, some chips, a limited number, were found to be defective by the external company commissioned by Ledger for the production. The problem identified concerns the lack of a correct source of entropy for use by the random number generator may lead to the generation of predictable sequences of numbers and therefore of private keys by malicious users.". Something that is actually probably possible to some extent, certainly somewhat believable.

When you run the tool, it asks you to input your 24 word phrase to check your Ledger chip. Anyone trained well enough should have extreme alarm bells ringing at this point.

As a Reddit user commented, using this [useful tool to run the program online](https://app.any.run/tasks/9079e9d2-a55c-45e2-ae93-d95e9e6252c9/) we can inspect what it is doing and we can see from the "Connections" tab that it is connected to Telegram and sending the seed to someone on there once the user inputs it.

Be very wary of emails like this, always check the official website of Ledger for any important updates or information and ensure that the URL is ledger.com. You can view the full source of the email here.

Ledger has thus far never had any major exploits of the sort and have generally been almost unbeatably strong security wise. So any claims like this should be very thoroughly scrutinised before even beginning to take it seriously.