Arsgera - Fotolia
The Trezor cryptocurrency online wallet service recently discovered a phishing campaign that hijacked traffic meant for the wallet.trezor.io domain and redirected it to a fake website. How was the traffic hijacked and what can be done to stop such an attack?
The interconnected nature of the internet and the need to trust so many different independent parties makes it very difficult to secure an entire system or application. Even when the most robust security controls are used for an application or cloud service, attackers can still target third parties and use that access for future attacks. Attackers can even target weaknesses in the Border Gateway Protocol (BGP) or the domain name system (DNS) infrastructure to redirect network traffic to malicious hosts.
The Trezor cryptocurrency online wallet service was recently targeted after a malicious actor used either a BGP route hijacking attack or a DNS poisoning attack. The Trezor cryptocurrency online wallet is a hardware device used to securely store cryptocurrency. While it uses a hardware device, the device has functionality to back up its data to a computer and connect it to the service over the internet. These external connections are potentially the weakest links in the system's security.
Users were targeted via phishing emails that required them to enter information to recover access to cryptocurrency stored in the hardware wallet. Trezor reported that the phishing email had errors within it that may have helped some users determine that it was malicious.
Once the user clicked on the link or went to the Trezor website, they were redirected to the phishing website that used the same URL as the legitimate website and a certificate error occurred. At the time the attack was reported, it wasn't clear whether the malicious actors had used BGP route hijacking or DNS poisoning to redirect users from the legitimate Trezor website to the malicious site.
Determining what redirection method was used will be difficult for Trezor without cooperation from the ISPs of the targeted users -- most users use DNS servers from ISP and rely on it to be routed to the legitimate network.
Enterprises can prevent similar attacks by following the updated MANRS guidelines on how to improve BGP security, the steps to secure a DNS, and how to push ISPs and the networking community to widely adopt these security controls.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading