Hacking

Trezor users targeted by phishing attacks, experts blame DNS Poisoning or BGP Hijacking

The maintainers of the Trezor multi-cryptocurrency wallet service reported a phishing attack against some of its users that occurred during the weekend.

The attack appears more complex respect a simple phishing campaign, hackers may have powered a DNS poisoning attack or a BGP hijacking to redirect users to a rogue phishing site that mimic the legitimate one.

“DNS poisoning or BGP hijacking point toward DNS poisoning or BGP hijacking” explains the Trezor team.

Hackers redirected legitimate traffic for the official wallet.trezor.io domain to a rogue copy of the website.

The team launched an investigation to shed the light on the attack. The experts spotted the incident after users reported HTTPS certificate error while landing on web wallet portal.

The error alerted the users, this kind of error suggests users are visiting a rogue website that attempts to pose as a legitimate one.

The users quickly reported the anomaly to the team of maintainers that confirmed the phishing attack and published a security advisory to warn users about the phishing attacks.

“Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.” reads the security advisory.

“The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.”

The company also reported two other issues for the bogus website:

  • The first issue was an error message that was different from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.

 

  • The second issue was that the fake website was asking users to provide a copy of their “recovery seed,” Trezor warns that users should never enter the recovery seed on a PC or app.  If the attackers obtain the recovery seed they can take over the accounts.

The company took down the malicious website with the support of the hosting provider.

At the time it is not clear if the attackers stole user funds.

Let’s close with suggestions provided by the company:

So how should I recognize the original Trezor Wallet?

  • Look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)
  • Always verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.
  • Thirdly, never divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Wallet will never ask you for your recovery seed. Only your device may, but it will do so securely.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – phishing, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: BGP hijackingcryptocurrencyCybercrimeDNS poisoningHackingphishingPierluigi PaganiniSecurity AffairsTrezor
8 years ago

Recent Posts

Fintech firm Figure disclosed data breach after employee phishing attack

Fintech firm Figure confirmed a data breach after hackers used social engineering to trick an…

16 hours ago

U.S. CISA adds a flaw in BeyondTrust RS and PRA to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in BeyondTrust RS and…

18 hours ago

Suspected Russian hackers deploy CANFAIL malware against Ukraine

A new alleged Russia-linked APT group targeted Ukrainian defense, government, and energy groups, with CANFAIL…

22 hours ago

New threat actor UAT-9921 deploys VoidLink against enterprise sectors

A new threat actor, UAT-9921, uses the modular VoidLink framework to target technology and financial…

1 day ago

Attackers exploit BeyondTrust CVE-2026-1731 within hours of PoC release

Attackers quickly targeted BeyondTrust flaw CVE-2026-1731 after a PoC was released, enabling unauthenticated remote code…

2 days ago

Google: state-backed hackers exploit Gemini AI for cyber recon and attacks

Google says nation-state actors used Gemini AI for reconnaissance and attack support in cyber operations.…

2 days ago

This website uses cookies.