Trezor Web Wallet Sees Faked URL Attack

Using the online version of the Trezor wallet is prone to attacks similar to MyEtherWallet, through creative spelling.

The Trezor online wallet has been attacked by faked URL, with an attempt to steal seed phrases. Redditors accidentally discovered a now-defunct site that mimicked the official wallet. Faked URL attacks are relatively low-tech, but rather efficient.

https://twitter.com/lopp/status/1180165965071474688?s=09

This type of attack relies on human error, and has nothing to do with the overall security of Trezor devices. Faked links to online wallets, even beyond Trezor, have been disseminated over chat channels, or lie in wait for those that make a typo.

The best advice is to only open the bookmarked version of the online wallet. The online wallet for Trezor claims that an update is needed to the firmware, as an excuse to ask for the seed phrase. Fake Trezor wallets have been a known threat for a while, but new versions are constantly appearing.

Trezor wallets still have multiple known vectors of attack. Vendors are still selling faked wallets, or devices that have been tampered with to reveal the seed phrase to third parties.

Other types of attack use calls to install faked firmware or other software packages. Google ads often feature faked online wallet links, when not flagged and removed on time. Another form of attack is a DNS redirection, where users see another screen away from the official site, again asking for the seed phrase.

Trezor advises to only enter the seed phrase into a tamper-free personal hardware device, which shields the seed phrase. In general, a seed phrase is best used in an offline wallet that has no way of relaying the information to a third party.

Hardware wallets are seen as some of the most secure ways for long-term storage. Recently, Trezor made an upgrade to its firmware, offering a Bitcoin-only version for storing the leading coin, potentially appealing to Bitcoin maximalists.

https://twitter.com/Trezor/status/1179422759530745862

Users will now have a choice between the Bitcoin-only version, or a firmware to support multiple assets.

Reading now