The team behind the Trezor multi-cryptocurrency wallet service has discovered a phishing attack against some of its users that took place over the weekend.

The Trezor team says "signs point toward DNS poisoning or BGP hijacking" as the means attackers hijacked legitimate traffic meant for the official wallet.trezor.io domain but redirected these users to a malicious server hosting a fake website. An investigation is still underway to determine the exact cause.

Incident spotted after HTTPS certificate error

The incident came to light after users complained that they encountered an invalid HTTPS certificate when landing on Trezor's web wallet portal.

An invalid certificate usually means that the website on which users landed was not the actual portal, but someone posing as the Trezor website, which could not cryptographically verify itself as the real website.

This error alerted the Trezor community, whose members quickly reported the incident to the Trezor team, who later confirmed the phishing attempt and warned users about the attack on early Sunday morning (US timezones).

Fake website had other problems

The Trezor team said they determined this was a legitimatee phishing attack and not just random SSL server error (which tend to happen some of the time) because they spotted two problems with the fake website.

The first was an error message that was worded differently from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.

Second, the fake website was asking users to enter a copy of their "recovery seed," something the Trezor team said would never do.

Trezor says the manuals of its two types of Trezor wallets —One and Model T— clearly state that users should never enter the recovery seed anywhere but the Trezor device, and never on a computer (app or website regardless).

This immediately gave the website away as a phishing attempt to recover recovery seeds, which are codes that can allow an attacker to take over Trezor accounts.

Bookmark in this case isn't enough. Seems like DNS poisoning attack. Checking for valid cert helps though. — slush (@slushcz) July 1, 2018

I had some issues yesterday, when accessing your site. It seems to be related with DNS. Is https://t.co/wGje8x5lRN legit? — Carsten (@Carsten71071425) July 1, 2018

The Trezor team said it was able to take down the malicious site after contacting its hosting provider and having it taken down.

It is too early to determine or estimate if the attacker stole user funds or the number of stolen funds.

In April 2018, a hacker (hacker group) hijacked a crucial Amazon BGP route to perform a similar phishing attack, but on the domain of MyEtherWallet.com, a web-based Ether wallet app.