Read on Twittercc: @Ledger @Ledger_Support @googledevs
#cryptocurrency #security #phishing https://twitter.com/sniko_/status/1236346777814601728">https://twitter.com/sniko_/st...
Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)
Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
![Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)](https://pbs.twimg.com/media/ETkGXdbXYAkQVyg.jpg "Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)")
![Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)](https://pbs.twimg.com/media/ETkG2_CWoAEttOC.png "Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)")
![Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)](https://pbs.twimg.com/media/ETkIGz7X0AAm6aG.png "Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)")
![Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)](https://pbs.twimg.com/media/ETkIJzQXkAAwmL1.png "Extension ID: pbilbjpkfbfbackdcejdmhdfgeldakkn (6 users)Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)")
Asks for seed phrases, posts to backend hosted at ledger[.]productions/api_v1/ (cc: @Cloudflare)
Extension ID: lfaahmcgahoalphllknbfcckggddoffj (101 users)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: dehindejipifeaikcgbkdijgkbjliojc (31 users)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Extension ID: bhkcgfbaokmhglgipbppoobmoblcomhh (119 users)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Asks for seed phrases, posts to a @googledocs form (ID: 1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ)
Delivered via @GoogleAds again, like the linked tweet in the OP
. @ZDNet coverage of the previous fake extensions - some of these function the same (using GoogleDocs) but some don& #39;t - though the are similar
I recommend reading the writeup by @campuscodi in the linked tweet for a full understanding of what& #39;s happening https://twitter.com/MyCrypto/status/1236090921373990912">https://twitter.com/MyCrypto/...
I recommend reading the writeup by @campuscodi in the linked tweet for a full understanding of what& #39;s happening https://twitter.com/MyCrypto/status/1236090921373990912">https://twitter.com/MyCrypto/...
Extension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)
Asks for seed phrases, posts to completssl[.]com/ssnd_t.php
Same backend as this Trezor one https://twitter.com/sniko_/status/1243917603745267712
cc:">https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support
Another Ledger extension on the Chrome webstoreExtension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)Asks for seed phrases, posts to completssl[.]com/ssnd_t.phpSame backend as this Trezor one https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support" title="https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign">Another Ledger extension on the Chrome webstoreExtension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)Asks for seed phrases, posts to completssl[.]com/ssnd_t.phpSame backend as this Trezor one https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support">
Another Ledger extension on the Chrome webstoreExtension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)Asks for seed phrases, posts to completssl[.]com/ssnd_t.phpSame backend as this Trezor one https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support" title="https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign">Another Ledger extension on the Chrome webstoreExtension ID: opmelhjohnmenjibglddlpmbpbocohck (~71 users)Asks for seed phrases, posts to completssl[.]com/ssnd_t.phpSame backend as this Trezor one https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support">
More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension
Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)
Website: myledgernano[.]com (cc: @Cloudflare)
Sends phished seed phrases to POST /device/init/payload
![More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload](https://pbs.twimg.com/media/EUNrdZIWAAIHGPA.jpg "More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload")
![More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload](https://pbs.twimg.com/media/EUNr1huWoAAEVhB.jpg "More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload")
![More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload](https://pbs.twimg.com/media/EUNr4WuWoAAPtAb.png "More @Ledger phishing delivered via @GoogleAds - A website and a Chrome extension Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)Website: myledgernano[.]com (cc: @Cloudflare)Sends phished seed phrases to POST /device/init/payload")
Extension ID: opmelhjohnmenjibglddlpmbpbocohck (see tweet above)
Website: myledgernano[.]com (cc: @Cloudflare)
Sends phished seed phrases to POST /device/init/payload
173.212.230.221 is hosting suspicious domains (myledgernano[.]com originally pointed here before hiding behind Cloudflare)
Domains targetting @Trezor and @Ledger customers (cc: @Mutex_Lock)
https://pastebin.com/raw/CawRZkyw ">https://pastebin.com/raw/CawRZ...
Domains targetting @Trezor and @Ledger customers (cc: @Mutex_Lock)
https://pastebin.com/raw/CawRZkyw ">https://pastebin.com/raw/CawRZ...
Extension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)
Asks for seed phrases, posts to completssl[.]com/ssnd_1.php
Delivered via @GoogleAds
https://twitter.com/sniko_/status/1243946328520118273
cc:">https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support
Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support" title="https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign"> Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support">
Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support" title="https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign"> Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support">
Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support" title="https://abs.twimg.com/emoji/v2/... draggable="false" alt="⚠️" title="Warning sign" aria-label="Emoji: Warning sign"> Another fake Ledger extension on the Chrome webstoreExtension ID: mjbimaghobnkobfefccnnnjedoefbafl (~100 users)Asks for seed phrases, posts to completssl[.]com/ssnd_1.phpDelivered via @GoogleAds https://twitter.com/sniko_/st... @ChromiumDev @Ledger @Ledger_Support">
And another fake Ledger extension on the Chrome webstore
Extension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
![And another fake Ledger extension on the Chrome webstoreExtension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support](https://pbs.twimg.com/media/EUpZq9zWkAAV1ts.jpg "And another fake Ledger extension on the Chrome webstoreExtension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support")
![And another fake Ledger extension on the Chrome webstoreExtension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support](https://pbs.twimg.com/media/EUpZ8QvXkAE6W5I.png "And another fake Ledger extension on the Chrome webstoreExtension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support")
Extension ID: ddohdfnenhipnhnbbfifknnhaomihcip (~261 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
And another fake Ledger extension on the Chrome webstore
Extension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
![And another fake Ledger extension on the Chrome webstoreExtension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support](https://pbs.twimg.com/media/EUpaRhKXgAE-b_8.jpg "And another fake Ledger extension on the Chrome webstoreExtension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support")
![And another fake Ledger extension on the Chrome webstoreExtension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support](https://pbs.twimg.com/media/EUpaf_bX0AACW1r.png "And another fake Ledger extension on the Chrome webstoreExtension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)Asks for seeds, posts to usermetrica[.]org/api_v1cc: @ChromiumDev @Ledger @Ledger_Support")
Extension ID: dbcfhcelmjepboabieglhjejeolaopdl (~272 users)
Asks for seeds, posts to usermetrica[.]org/api_v1
cc: @ChromiumDev @Ledger @Ledger_Support
Another fake Ledger extension on the Chrome webstore
Extension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)
Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate it
cc: @Ledger @Ledger_Support
#malware #bitcoin
https://abs.twimg.com/hashflags... draggable="false" alt="">
Extension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)
Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate it
cc: @Ledger @Ledger_Support
#malware #bitcoin
![Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU4tbimXkAMHNgC.jpg)
" title="Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
![Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU4t0n6XsAMp3xx.png)
" title="Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
![Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU4vJzYXYAQD7Br.png)
" title="Another fake Ledger extension on the Chrome webstoreExtension ID: mciddpldhpdpibckghnaoidpolnmighk (~535 users)Asks for seeds, posts to walletbalance[.]org/api_v1/ - though, they& #39;ve minifed their JS and tried to obfuscate itcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
Another fake Ledger extension on the Chrome website
Extension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)
Asks for seeds, posts to completssl[.]com/ssnd_1.php
cc: @Ledger @Ledger_Support
#malware #bitcoinhttps://abs.twimg.com/hashflags... draggable="false" alt="">
Extension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)
Asks for seeds, posts to completssl[.]com/ssnd_1.php
cc: @Ledger @Ledger_Support
#malware #bitcoin
![Another fake Ledger extension on the Chrome websiteExtension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)Asks for seeds, posts to completssl[.]com/ssnd_1.phpcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU4vxYEXQAEeJ9f.jpg)
" title="Another fake Ledger extension on the Chrome websiteExtension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)Asks for seeds, posts to completssl[.]com/ssnd_1.phpcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
![Another fake Ledger extension on the Chrome websiteExtension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)Asks for seeds, posts to completssl[.]com/ssnd_1.phpcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU4wBNAXgAEr20J.jpg)
" title="Another fake Ledger extension on the Chrome websiteExtension ID: agfjbfkpehcnceblmdahjaejpnnnkjdn (~67 users)Asks for seeds, posts to completssl[.]com/ssnd_1.phpcc: @Ledger @Ledger_Support #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
Another fake Ledger extension on the Chrome website - pushed via Google Ads
Extension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)
Asks for seeds, posts to usermetrica[.]org/api_v1/
cc: @Ledger @Ledger_Support @ChromiumDev
#malware #bitcoinhttps://abs.twimg.com/hashflags... draggable="false" alt="">
Extension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)
Asks for seeds, posts to usermetrica[.]org/api_v1/
cc: @Ledger @Ledger_Support @ChromiumDev
#malware #bitcoin
![Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU7oobpWsAUY3rx.jpg)
" title="Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
![Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU7opf4XQAcfbxB.png)
" title="Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
![Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin https://abs.twimg.com/hashflags... draggable=](https://pbs.twimg.com/media/EU7oqlzWkAEy9gZ.png)
" title="Another fake Ledger extension on the Chrome website - pushed via Google AdsExtension ID: mcbcknmlpfkbpogpnfcimfgdmchchmmg (~0 users)Asks for seeds, posts to usermetrica[.]org/api_v1/cc: @Ledger @Ledger_Support @ChromiumDev #malware #bitcoin https://abs.twimg.com/hashflags... draggable="false" alt="">">
I& #39;ve been quiet on this thread (and similar others) but still we are finding more and issuing takedowns.
A new malicious @Ledger extension has changed and started using Telegram as their c2...
Not the first time we are flooding a c2 - see quoted thread
https://twitter.com/sniko_/status/1202990606638878720">https://twitter.com/sniko_/st...
A new malicious @Ledger extension has changed and started using Telegram as their c2...
Not the first time we are flooding a c2 - see quoted thread
https://twitter.com/sniko_/status/1202990606638878720">https://twitter.com/sniko_/st...
