Targeted Mailchimp Breach Affects Trezor Crypto CustomersData of 102 Mailchimp Accounts Exported; One Trezor user clams 55,000 pounds losses
A data breach involving a third-party client has affected customers of cryptocurrency hardware wallet provider Trezor, the company says.
Trezor launched an investigation after customers said they had received sophisticated phishing emails that contained their registered Trezor email addresses. The investigation revealed a data breach at its third-party email marketing firm Mailchimp, which it says likely leaked email addresses of Trezor customers.
Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies.— Trezor (@Trezor) April 3, 2022
We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected. 1/
Trezor says it has pulled the phishing domains - trezor[.]us and suite[.]xn--trzor-o51b[.]com - offline.
Investigations have not yet determined the full impact of the breach, the company says. In a July 2020 tweet, Trezor said it deletes all sensitive user data, including email IDs, from its e-shop database after 90 days. This may suggest that the number of affected users is limited to those who subscribed to the company's opt-in newsletter, some security experts say.
Social Engineering Caused Mailchimp Breach
Siobhan Smyth, CISO of Mailchimp, tells Information Security Media Group that its security team became aware of a malicious actor accessing one of its internal tools on March 26, 2022. These tools are used by customer-facing teams for customer support and account administration, Smyth says.
She says the source of the attack was an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised. "We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected."
Mailchimp says it then conducted a robust investigation and consulted with an external forensic counsel to understand what had happened and the subsequent impact. "Based on our investigation, we found that 319 Mailchimp accounts were viewed, and audience data was exported from 102 of those accounts. Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance, all of whom have been notified," Smyth tells ISMG.
Smyth says its investigation determined that some accounts' API keys posed a potential vulnerability. It says that out of an abundance of caution, it has disabled those API keys, implemented protections so they can’t be re-enabled and notified the affected users.
Smyth says of the Trezor phishing campaign: "We've received reports of the malicious actor using the information they obtained from user accounts to send phishing campaigns to their contacts." She recommends that all Mailchimp users turn on their two-factor authentication and other account security measures, to keep their accounts and passwords secure.
The Phishing Mail
On Sunday, several users of Trezor's cryptocurrency hardware wallet tweeted warnings of an ongoing email phishing campaign targeting them via a newsletter that contained their registered email addresses.
Hey trezor, are you aware of a phishing campaign going on? I just received this email with my actual email on it. It looked very legit. pic.twitter.com/GF0Od6llr2— josearkaos ⚡️ (@josearkanos) April 3, 2022
The phishing email says that Trezor, which makes physical USB-connected devices to protect cryptocurrency and user tokens, "experienced a security incident" on Saturday. The compromise of a Trezor Suite administrative server resulted in the breach of data of 106,856 of customers, it adds.
"At this moment, it's technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you've recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen," the phishing email says.
Phishers are known to use language in their messages that shows urgency - to create panic among victims. In this campaign, the attackers also used legitimate email addresses registered with Trezor that gave the victims a sense of security.
The link in the phishing email directed users to
https://suite.trẹzor.com instead of
https://trezor.io, information security expert Graham Cluley says.
"You'll hopefully notice that there is an underdot under the letter 'e' in 'trẹzor' in that URL. And that means you're not going to the real Trezor website, which is at https://trezor[.]io – the real domain is not even [.]com," he says.
The attackers pretended to be Trezor and sent an email to victims claiming that their cryptocurrencies were at risk. A button - "Download Latest Version" of what appeared to be the wallet software - was inserted at the bottom of the mail. This contained a link to a legitimate-looking Trezor website.
When Trezor users downloaded this malicious software, it asked them to enter their seed phrase to restore their wallet. When unsuspecting users entered these details, the operators behind this campaign received the seed and used it to withdraw the victims' cryptocurrency. They then transferred it to their own wallets.
A seed phrase is a group of words generated by your cryptocurrency wallet that give you access to the crypto associated with that wallet.
Cluley says of this campaign: "Don't trust the email. Don't click on the link. The genuine Trezor Suite doesn't ask you for your wallet's private keys and doesn't store them online. If you do want to update your Trezor's firmware or desktop software, go to the official Trezor website instead."
Users Lost Money
Several Reddit users, likely customers of Trezor, put out warnings on the social forum on Sunday, to alert others of the ongoing campaign. Reddit user MrChaBuDuo said he lost 55,000 pounds in the scam because he did not check whether the link was malicious or not.
"Lost £55,000. Was not paying attention and was on autopilot, just doing what it said. Was arguing with my [girlfriend] via Telegram at the time. Convincing email, convincing site. Fake programme I downloaded was identical to the real thing. Had been building up my BTC for seven years and lost it in a few minutes' [due to] utter stupidity."
Other users asked MrChaBuDuo how he had entered the seed phrase in the first place as retrieving it takes a long time, and he replied, "Yes I entered my keys, because I'm [stupid]."
Mail Originated From France?
Some Reddit users say that the biggest clue in the current campaign was the header details in the phishing mail. The email address that the mail was sent from was
"firstname.lastname@example.org". But since 2017, all emails that Trezor has sent its users have been from
"email@example.com", as Reddit user leprcn623 observed.
Reddit user nicanotenmon confirms this finding and adds that the phishing mail seems to have originated from France: "I traced the headers of that email. It turns out the one [firstname.lastname@example.org] which is a scam has been sent from France - at least that's what it looks like. The genuine emails sent from "email@example.com" have been sent from USA - Atlanta Georgia."
Additional Domains Spotted
Although Trezor says that it has taken the phishing pages offline, a Twitter user called idclickthat, who claims to be an internet researcher, says that there are several similar-looking links that bear a close resemblance to the one used in this campaign. They have all been registered with domain name registrar Epik, the user says.
New phishing domains— idclickthat (@idclickthat) April 3, 2022
Regs with @EpikDotCom
Epik has not yet responded to ISMG's request for comment.