The hardware wallet manufacturer, Trezor, has warned their users about a phishing campaign that is affecting its users. On July the 1st, the company discovered a ‘clone of Trezor Wallet’ that was tricking users to give their recovery seed.
After this situation, Trezor decided to publish a blog post with details about the attack and how to avoid them and lose all the funds. Some users have already reported losses after they gave their personal seed to recover the funds.
The company wrote a Tweet warning its users about a clone of the Trezor Wallet. They explain that it is very important to always check for a valid https connection while using wallet.trezor.io. At the same time, Trezor explains that the device itself can be trusted and it is recommended to verify all the actions on its screen.
PSA: Phishing. We have encountered a clone of Trezor Wallet, tricking users to divulge their recovery seed. Always check for a valid https connection while using https://t.co/rTfKn8bzIL.
The device itself can be trusted; make sure to verify all actions on the Trezor screen. pic.twitter.com/or8Lw6M265
— TREZOR (@TREZOR) July 1, 2018
In a blog post uploaded by Satoshi Lab, the information provided is more complete and clear about what happened and what to do. They informed that the Support Team started receiving messages about an invalid SSL certificate.
The situation happened because there was a fake Trezor Wallet website that was asking users for their seeds because of ‘data damage.’
However, Trezor has some important recommendations for its users, including never writing the recovery seed on a computer.
The company explained about the Trezor One:
“You should never enter your recovery seed on a computer, along with the order number. The order is always given to you by your Trezor device. Never by the computer.”
It is always important to see the ‘Secure’ sign in the browser address bar. If the certificate is invalid, then the browser will warn you.
There are other important security measures like verifying all the operations on the Trezor device and only trust the device display. Moreover, users should never give sensitive or private data to anybody, not even to SatoshiLabs, the company behind Trezor. They will never be asking for private information, recovery seed or other sensitive data.
At the moment, the fake Wallet has been taken down by the hosting provider, according to SatoshiLabs. But it is important to remain alert in the future.