Brand impersonation: Ledger

calendar Jan 3, 2025 · Cryptocurrency  ·
Share on: linkedin copy

Attack impersonating hardware cryptocurrency wallet ledger.com's brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Ledger"
 2description: |
 3    Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
 4references:
 5  - "https://ledger.com"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      sender.email.domain.root_domain == 'ledger.com'
13      and headers.return_path.domain.root_domain not in (
14        'ledger.com',
15        'amazonses.com',
16        'ledger.fr',
17        'hubspotemail.net'
18      )
19    )
20    or (
21      (
22        // only match ledger actual domains if dmarc fails
23        not (
24          sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
25          and headers.auth_summary.dmarc.pass
26        )
27        or not sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
28      )
29      and (
30        strings.ilike(sender.email.email, '*-ledger.com*')
31        or sender.display_name =~ "ledger"
32        or strings.istarts_with(sender.display_name, "ledger")
33        or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
34      )
35      and (
36        // if this comes from a free email provider,
37        // flag if org has never sent an email to sender's email before
38        (
39          sender.email.domain.root_domain in $free_email_providers
40          and sender.email.email not in $recipient_emails
41        )
42        // if this comes from a custom domain,
43        // flag if org has never sent an email to sender's domain before
44        or (
45          sender.email.domain.root_domain not in $free_email_providers
46          and sender.email.domain.domain not in $recipient_domains
47        )
48      )
49    )
50  )
51  and sender.email.domain.root_domain not in (
52    // Fortune has a newsletter called "The Ledger"
53    'fortune.com',
54    'velocityledger.com',
55    'lever.co',
56    'queensledger.com',
57    'libertyledger.com',
58    'uledger.io',
59    'ledgers.org.uk',
60    'leger.co.uk',
61    'xledger.net'
62  )  
63tags:
64  - "Cryptocurrency"
65attack_types:
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Impersonation: Brand"
69  - "Lookalike domain"
70  - "Social engineering"
71detection_methods:
72  - "Header analysis"
73  - "Sender analysis"
74id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"

Related rules

to-top