Brand impersonation: Ledger

calendar Nov 26, 2024 · Cryptocurrency  ·
Share on: linkedin copy

Attack impersonating hardware cryptocurrency wallet ledger.com's brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Ledger"
 2description: |
 3    Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
 4references:
 5  - "https://ledger.com"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      sender.email.domain.root_domain == 'ledger.com'
13      and headers.return_path.domain.root_domain not in (
14        'ledger.com',
15        'amazonses.com',
16        'ledger.fr',
17        'hubspotemail.net'
18      )
19    )
20    or (
21      (
22        // only match ledger actual domains if dmarc fails
23        not (
24          sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
25          and headers.auth_summary.dmarc.pass
26        )
27        or not sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
28      )
29      and (
30        strings.ilike(sender.email.email, '*-ledger.com*')
31        or sender.display_name =~ "ledger"
32        or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
33      )
34      and (
35        // if this comes from a free email provider,
36        // flag if org has never sent an email to sender's email before
37        (
38          sender.email.domain.root_domain in $free_email_providers
39          and sender.email.email not in $recipient_emails
40        )
41        // if this comes from a custom domain,
42        // flag if org has never sent an email to sender's domain before
43        or (
44          sender.email.domain.root_domain not in $free_email_providers
45          and sender.email.domain.domain not in $recipient_domains
46        )
47      )
48    )
49  )
50  and sender.email.domain.root_domain not in (
51    // Fortune has a newsletter called "The Ledger"
52    'fortune.com',
53    'velocityledger.com',
54    'lever.co',
55    'queensledger.com',
56    'libertyledger.com',
57    'uledger.io',
58    'ledgers.org.uk',
59    'leger.co.uk',
60    'xledger.net'
61  )  
62tags:
63  - "Cryptocurrency"
64attack_types:
65  - "Credential Phishing"
66tactics_and_techniques:
67  - "Impersonation: Brand"
68  - "Lookalike domain"
69  - "Social engineering"
70detection_methods:
71  - "Header analysis"
72  - "Sender analysis"
73id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"

Related rules

to-top