Arsgera - Fotolia

How is the Trezor cryptocurrency online wallet under attack?

A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it with expert Nick Lewis.

The Trezor cryptocurrency online wallet service recently discovered a phishing campaign that hijacked traffic meant for the wallet.trezor.io domain and redirected it to a fake website. How was the traffic hijacked and what can be done to stop such an attack?

The interconnected nature of the internet and the need to trust so many different independent parties makes it very difficult to secure an entire system or application. Even when the most robust security controls are used for an application or cloud service, attackers can still target third parties and use that access for future attacks. Attackers can even target weaknesses in the Border Gateway Protocol (BGP) or the domain name system (DNS) infrastructure to redirect network traffic to malicious hosts.

The Trezor cryptocurrency online wallet service was recently targeted after a malicious actor used either a BGP route hijacking attack or a DNS poisoning attack. The Trezor cryptocurrency online wallet is a hardware device used to securely store cryptocurrency. While it uses a hardware device, the device has functionality to back up its data to a computer and connect it to the service over the internet. These external connections are potentially the weakest links in the system's security.

Users were targeted via phishing emails that required them to enter information to recover access to cryptocurrency stored in the hardware wallet. Trezor reported that the phishing email had errors within it that may have helped some users determine that it was malicious.

Once the user clicked on the link or went to the Trezor website, they were redirected to the phishing website that used the same URL as the legitimate website and a certificate error occurred. At the time the attack was reported, it wasn't clear whether the malicious actors had used BGP route hijacking or DNS poisoning to redirect users from the legitimate Trezor website to the malicious site.

Determining what redirection method was used will be difficult for Trezor without cooperation from the ISPs of the targeted users -- most users use DNS servers from ISP and rely on it to be routed to the legitimate network.

Enterprises can prevent similar attacks by following the updated MANRS guidelines on how to improve BGP security, the steps to secure a DNS, and how to push ISPs and the networking community to widely adopt these security controls.

Ask the expert: 
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities