For those who don’t know, I invest in some criptocurrencies, and I decided to buy a hard wallet from Trezor. Today, I woke up with an unexpected e-mail which apparently was sent by them:
I usually tend to always delete “alarming” e-mail messages, but some flags led be to believe on it when I read the message.
I have a habit to create accounts using e-mail aliases. An e-mail alias is nothing more than a keyword we can use on e-mail addresses. Instead of using [email protected] in every site, I use [email protected], for example. That is very useful for security, but I’ll get into why in a different article.
However, what led me to believe this e-mail was the fact I received it with the alias, and in this case, a specific alias I only use in that service.
When I opened the URL, I got redirected to the following page:
When I decided to open the main page, trezor.com, I noticed something was wrong. I ended up in a Russian store that sells beautiful and robust lockers:
Did you notice something odd in the URL? The page I ended up on was suite.trẹzor.com, with ẹ, not e. The domain is a bit different in this case:
This scam is known as IDN homograph attack. These domains are very identical to the original one, but using non-latin characters, such as cyrillic or with accents, like ã or ẹ, in this case.
Looking at the page, I decided to click on
Trezor suite for web to see where I would lend. The
link points to web.trezorwallet.org, which is different than the official URL, https://suite.
With these suspitions in mind, I decided to check the registration date of these domains, which is also a bit odd:
|xn–trzor-o51b.com (trẹzor.com) - Main page||27.03.2022 - 11:09:17 (UTC)|
|trezorwallet.org - Webclient||27.03.2022 - 07:03:32 (UTC)|
|trezor.us - Domain from the scam e-mail||09.07.2021 - 00:01:19 (UTC)|
Trezor is an existing company since 2013. Having such brand-new domains is also a scam indication.
Another thing to keep in mind is the fact that most Trezor built apps are open-source, including Trezor Suite, the landing page and their own website. Anyone is able to download the source-code, edit the clients and create scam apps or pixel perfect pages due to that.
After analyzing all these factors, even though the e-mail convinced me at the beginning due to the alias, everything suggests that their e-mail list got leaked somehow and these e-mails are an attempt of scam.
Trezor also announced on their Reddit about the pottential data leak from MailChimp.
I reported the incident to all companies involved on the domain registration by checking their WHOIS, to the Internet Crime Complaint Center and to the Internet Beschwerdestelle.