Trezor wallets hacked? Don’t be duped by phishing attack email

Graham Cluley
@gcluley

Trezor wallets hacked? Don't be duped by phishing attack email

Owners of hardware Trezor cryptocurrency wallets should be on their guard after an email was sent out by thieves attempting to dupe them into downloading new software to their devices.

The emails claim that Trezor, which has been making physical USB-connected devices to protect the cryptocurrency and tokens of users since 2014, “experienced a security incident” yesterday that breached the data of 106,856 of its customers.

Here’s a screenshot of the email, which has the subject line “Your Trezor Suite might be compromised”:

Trezor phishing email

Part of the email reads:

At this moment, it’s technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you’ve recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen.

However, in reality, the email is not from Trezor at all – but is instead an attempt to dupe unsuspecting owners of Trezor devices into downloading a bogus version of the company’s desktop suite software from a lookalike website.

Fake trezor website

If you were unfortunate enough to click on the link offered in the email you would find yourself taken to: https://suite.trẹzor.com

Notice anything odd about that? Take a closer look.

Fake trezor url

Now you’ll hopefully notice that there is an underdot under the letter “e” in “trẹzor” in that URL. And that means you’re not going to the real Trezor website (which is at https://trezor.io – the real domain is not even .com!)

This is known as a unicode domain phishing attack.

EmailSign up to our newsletter
Security news, advice, and tips.

So, don’t trust the email. Don’t click on the link. The genuine Trezor Suite doesn’t ask you for your wallet’s private keys and doesn’t store them online, but who knows what this bogus software might ask you to do.

If you do want to update your Trezor’s firmware or desktop software, go to the official Trezor website instead.

One question remains – how did the malicious email get sent to so many Trezor customers? Is it possible Trezor, or one of its marketing partners, has suffered a security breach that has exposed members of its mailing list?

Update:

Trezor says it is investigating whether an opt-in mailing list it runs at MailChimp may have been breached. That would certainly explain how Trezor customers were targeted.

Trezor tweet

Sources inside Trezor tell me that this “was an inside job by a MailChimp rogue employee.”

That’s how they targeted Trezor users in this highly-convincing attack.

Hear more views on this incident in this episode of the award-winning “Smashing Security” podcast, with me, Carole Theriault, and special guest Zoë Rose.

Smashing Security #269: 'Trezor Deep Throat, a CCTV stalker, and Amazon's list of banned words'

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

12 comments on “Trezor wallets hacked? Don’t be duped by phishing attack email”

  1. clicked on link to see if the site looked dodgy, looks like it halfway downloaded the so-called 'new update' or whatever.
    not connected trezor or been asked for any info. / seed etc.
    what should i do now to get this potential malware off ?

    1. If funds have been taken from your wallet then there may not be much you can do at all… other than be grateful it wasn't 100%… :(

  2. You tell people not to follow links in email but helpfully link to the "official Trezor website". For all we know, that link could be malicious. After all, I don't know you. Train people the right way. Tell them to Google it then bookmark it.

    1. Although there have also been plenty of occasions where cybercriminals have poisoned search engine results – or bought ads on search engines – to direct unsuspecting users to fake websites as well.

      Nothing's easy is it?

  3. Using a third-party-service (MailChimp) for their newsletter was not a great idea, especially when handling sensitive information.

    I Checked out their domain trezor.io with uBlock Origin, and it's full of third-party-services. Ideally, only trezor.io and sub-domains should be listed:

    trezor.io
    shop.trezor.io
    adform.net
    track.adform.net
    ads-twitter.com
    static.ads-twitter.com
    akadns.net
    track-eu.adformnet.akadns.net
    track.adform.net
    edgecastcdn.net
    cs41.wac.edgecastcdn.net
    platform.twitter.com
    facebook.net
    connect.facebook.net
    fbcdn.net
    scontent.xx.fbcdn.net
    connect.facebook.net
    google-analytics.com
    www.google-analytics.com
    google.com
    www-google-analytics.l.google.com
    www.google-analytics.com
    www-googletagmanager.l.google.com
    www.googletagmanager.com
    googletagmanager.com
    www.googletagmanager.com
    twitter.com
    platform.twitter.com
    twitter.map.fastly.net
    platform.twitter.map.fastly.net
    static.ads-twitter.com

  4. I was beside myself with panic but checked the email properties and saw .us where I was expecting .io! I then did a google search of the mail subject line and found this post of yours… Thanks so much for putting my mind at rest and I truly feel for anyone that fell for this despicable scam…

  5. A long time IT security "expert" and I fell for this hook-line and sinker. Fortunately for me the device I read the email on wasn't the device I use for accessing my Trezor so I didn't click the link. I updated Trezor Suite from Trezor Suite and then changed my PIN just in case.
    My excuse for falling for this is that I am terrified everytime I connect my Trezor, firmware updates are always problematic and I'm always expecting to see a zero balance!

  6. What caught my attention in the podcast (though I may have missed something in the blog post) is that Trezor is totally absolved. People pay a premium for hardware wallets, mostly for the security benefits. If any software installed on the desktop can break this security, this is (excuse my French) a total scam. There's a *lot* they could do (e.g. a screen on the HW token, an on-board approve button, even as simple as a beep+delay) and yet the Trezor product quietly lets malware empty out the wallet.

What do you think? Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.