Cryptocurrency hardware firm Trezor has acknowledged an ongoing multi-channel phishing campaign designed to trick customers into granting access to their wallets.
“The attackers contact the victims via phone call, SMS and/or email to say that there’s been a security breach or suspicious activity on their Trezor account,” the firm warned in a Twitter post.
“We have not found any evidence of a recent database breach. We will never contact you via calls or SMS.”
Trezor provides hardware-based wallets for users to store their cryptocurrency. Although this is nominally a more secure method than software-based wallets, if users are tricked into handing over their “recovery seed” it could give scammers access to their funds.
The 12- or 24-character password is intended to help users who have a lost, stolen or malfunctioning device to restore their wallet on another device.
Users took to Twitter to post screenshots of the phishing campaign. In one message, a spoofed Trezor notice urges users to upgrade their wallets because it “failed to complete the new Ethereum Merge.”
In another, users are informed that “Trezor Suite has recently endured a security breach” and that they should follow a link in order to “secure your assets.”
Doing so would take them to a phishing page spoofed to appear like a legitimate Trezor site.
“At this moment its technically impossible to accurately assess the scope of the data breach. Due to these circumstances if you’ve recently used your Trezor Suite, we must assume that all your assets are currently at risk. In the spirit of transparency, we want to make our customer aware of this incident,” it states.
“We felt time was of the essence, and we are expediently working through our investigation. If you received this message it means that you’ve been affected by the breach. In order to protect all your assets please follow the procedure to secure your assets.”
Clicking on a “Start” button would then take the victim to a page to enter their recovery seed.
This isn’t the first time Trezor users have been targeted in this way. Last April a highly convincing phishing campaign was sent out to users after their contact details were lifted from a newsletter mailing list hosted by MailChimp.