https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign"> Four more @Ledger browser extensions. A thread...

cc: @Ledger @Ledger_Support @googledevs

#cryptocurrency #security #phishing https://twitter.com/sniko_/status/1236346777814601728">https://twitter.com/sniko_/st...
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)

Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)

Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: dehindejipifeaikcgbkdijgkbjliojc (31 users)

Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: bhkcgfbaokmhglgipbppoobmoblcomhh (119 users)

Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Delivered via @GoogleAds again, like the linked tweet in the OP
. @ZDNet coverage of the previous fake extensions - some of these function the same (using GoogleDocs) but some don& #39;t - though the are similar

I recommend reading the writeup by @campuscodi in the linked tweet for a full understanding of what& #39;s happening https://twitter.com/MyCrypto/status/1236090921373990912">https://twitter.com/MyCrypto/...
https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign">Another Ledger extension on the Chrome webstore

Extension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)

Asks for seed phrases, posts to completssl[.]com/ssnd_t.php

Same backend as this Trezor one https://twitter.com/sniko_/status/1243917603745267712

cc:">https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support
More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension

Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)

Website: myledgernano[.]com (cc: @Cloudflare)

Sends phished seed phrases to POST /device/init/payload
173.212.230.221 is hosting suspicious domains (myledgernano[.]com originally pointed here before hiding behind Cloudflare)

Domains targetting @Trezor and @Ledger customers (cc: @Mutex_Lock)

https://pastebin.com/raw/CawRZkyw ">https://pastebin.com/raw/CawRZ...
https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign"> Another fake Ledger extension on the Chrome webstore

Extension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)

Asks for seed phrases, posts to completssl[.]com/ssnd_1.php

Delivered via @GoogleAds

https://twitter.com/sniko_/status/1243946328520118273

cc:">https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstore

Extension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)

Asks for seeds, posts to usermetrica[.]org/api_v1

cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstore

Extension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)

Asks for seeds, posts to usermetrica[.]org/api_v1

cc: @ChromiumDev @Ledger @Ledger_Support
I& #39;ve been quiet on this thread (and similar others) but still we are finding more and issuing takedowns.

A new malicious @Ledger extension has changed and started using Telegram as their c2...

Not the first time we are flooding a c2 - see quoted thread

https://twitter.com/sniko_/status/1202990606638878720">https://twitter.com/sniko_/st...
You can follow @sniko_.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: