Categories
Crypto Wallets Ethereum MetaMask Scams

MetaMask Users Warned of New Phishing Campaign Targeting Users

Crypto security firm Halborn has warned of a new email phishing campaign targeting MetaMask users. 

In a blog post published July 28, Halborn’s technical education specialist Luis Lubeck analysed the phishing email and highlighted red flags users should look out for to keep their digital assets safe from these types of scams.

How the Scam Works

This latest scam involves an email, ostensibly from MetaMask, asking the recipient to verify their MetaMask wallet’s seed phrase. The recipient is told the seed phrase is needed by MetaMask in order to comply with regulations and that failure to comply will result in their wallet being “restricted”:

Screenshot of the phishing scam email received by MetaMask users.

Clicking on the button to verify the seed phrase takes recipients to a fraudulent imitation of the MetaMask website where they are prompted to input their seed phrase. If the user complies, the scammers gain full access to the wallet, allowing them to steal the user’s assets.

Red Flags and Warning Signs

Lubeck cautioned that to an inexperienced, casual crypto user not paying close attention, the email could appear legitimate. However, he highlighted some important red flags, including:

  • the sending address not being from a legitimate MetaMask domain, but rather from ‘metamaks.auction’;
  • the lack of personalisation, such as the recipient’s real name or other identifying information; and
  • the call to action button linking not to MetaMask’s website, but to a fraudulent URL.

Lubeck stressed that the best defence against phishing attacks is to be extra careful when receiving email requests related to crypto accounts or wallets:

The best defence against phishing attacks like these is to stay vigilant when receiving emails and think twice before doing anything that seems a bit unusual or potentially suspicious. 

Luis Lubeck, technical education specialist, Halborn

MetaMask Frequent Target of Scammers

Due to its status as the most popular wallet for Ethereum, MetaMask is often targeted by scammers. 

In April, MetaMask warned Apple users to disable iCloud backups after it was revealed their MetaMask seed phrases were being automatically backed up to the cloud storage service and then targeted in phishing attacks. In one case, a user lost over US$600,000 worth of assets to this scam.

In November 2021, a Reddit user reported his friend had lost 38 ETH to another MetaMask scam in which a paid Google ad directed users to a fake MetaMask website to install a fraudulent version of the browser extension, allowing scammers to steal users’ assets.

Categories
Crypto News MetaMask Scams

CoinGecko Warn Users of ‘Suspicious Pop-Ups’ Phishing Attacks

Several popular crypto websites, including those of data aggregator CoinGecko and Ethereum block explorer Etherscan, were targeted by a large-scale phishing scam last weekend that displayed malicious pop-ups prompting users to connect their MetaMask wallets.

The scam was linked to the now deactivated domain nftapes.win, which displayed the Bored Apes Yacht Club logo in an attempt to appear legitimate. At the time of writing, it was unclear how many users were affected and how much they lost.

How the Scam Worked

According to CoinGecko, the scammers hijacked the advertising platform Coinzilla, which displays ads across a wide network of crypto-related sites, injecting malicious code that triggered the fraudulent pop-ups.

From there it was a relatively straightforward phishing scam leveraging the trust of the websites they exploited. The pop-ups would prompt users to connect their MetaMask wallets, and of course once they did their digital assets were immediately transferred to the scammers.

When the advertising code was identified as the root cause of the fraudulent pop-ups, it was deactivated on the CoinGecko website.

Advertising Code a Serious Vulnerability

Twitter user and blockchain researcher @CryptoShrine explained that this type of attack is quite common and suggests that Web3 site owners should look to move away from advertising as a primary source of revenue:

Scams of this nature can cause significant losses because they can affect many websites at the same time by piggybacking on the advertising code, and because the malicious pop-ups can appear on trustworthy websites it increases the likelihood of users falling victim.

Similar Recent Phishing Scams

As crypto has gone more mainstream in the past 18 months, the number of phishing scams has dramatically increased. Last month alone saw MetaMask issue a security alert about a phishing scam affecting iCloud users and hardware wallet provider Trezor suffer a phishing scam that exploited its MailChimp newsletter.

Categories
Crypto Wallets MetaMask Scams

MetaMask Issues Phishing Attack Security Alert for iPhone Users

Software-based crypto wallet MetaMask has warned its users on Apple devices that their assets may be at risk from an iCloud-related phishing scam. 

MetaMask tweeted out the alert on April 18, stating that users of Apple devices should ensure their Apple ID password is “strong enough” and providing instructions for disabling iCloud backups:

The alert comes after a Twitter user known as revive_dom reported losing US$650,000 of digital assets to the scam.

iCloud Stores MetaMask Seed Phrase 

The crucial vulnerability the scammers exploited is that, by default, iCloud backs up the MetaMask seed phrase and stores it digitally online. 

This means that if a MetaMask user on an Apple device hasn’t specifically turned off iCloud backups and a scammer can gain access to the user’s iCloud account, the scammer has full access to the digital assets stored in that user’s MetaMask wallet.

Classic Phishing Scam with a Twist

The details of how the scam was carried out against revive_dom were tweeted by Twitter user Serpent, who is also the founder of the NFT project DAPE: 

Essentially, the scammers raised the user’s suspicions by triggering numerous iCloud password reset attempts, which made it appear as though someone was trying to maliciously access the user’s iCloud account. 

The scammers then called the user from a spoofed number, which made them appear to be from Apple support. After the scammers established trust, the user mistakenly told them the two-factor authentication code to reset their iCloud password. The scammers then had full control of the user’s iCloud account and MetaMask wallet and stole all the user’s assets.

Scam Highlights Hot Wallet Security Risks

Most Twitter users have been supportive of revive_dom and other victims of this scam, but many have also emphasised the inherent risks of storing your assets on a hot wallet such as MetaMask and have suggested victims should have been using cold wallets such as Ledger and Trezor:

MetaMask is a popular software wallet in the Ethereum ecosystem. It has made news recently for adding a feature that allows iOS users to purchase crypto directly through the MetaMask mobile app using a debit or credit card, and for blocking users from some countries, such as Iran and Venezuela, from accessing their wallets.

Categories
Bored Ape Yacht Club NFTs Scams

35 NFTs Stolen in Twitter Phishing Attacks Last Week

A Mutant Ape and a Bored Ape were among 35 NFTs stolen last week via a handful of hacked verified Twitter accounts. The combined value of the phishing attack is assumed to exceed US$900,000.

The phishing incident disguised itself off the back of a Bored Ape Yacht Club (BAYC) airdrop that happened earlier this month. BAYC had airdropped ApeCoins to Mutant Ape and Bored Ape holders, which allowed for a copycat attack by scammers who hacked verified Twitter accounts and spread fake URLs impersonating a BAYC link:

Victims of the link who were prepared to pay 0.33 ETH to take part instead encountered code that allowed the hackers access to their wallets. Some victims claimed that, although the links appeared strange, they would nonetheless be safe as they were shared by trusted public figures.

Twitter is yet to comment on the incident, despite many users feeling the social media giant is partly to blame.

Other Recent Phishing Attacks

This isn’t the first large-scale phishing attack this year. Earlier in March, US$790,000 worth of Rare Bears were stolen. The phishing scam behind the NFT theft utilised the weakened security of Discord groups to share around a ‘corrupt’ link.

More recently, a crypto venture capitalist lost US$1.7 million worth of NFTs. Arthur Cheong, the founder of Web3 and DeFi venture capital firm Defiance Capital, had his hot wallet account hacked and 59 NFTs taken.

Categories
Scams

Someone Just Lost $50K Bitcoin to Ledger Phishing Scam

Buying and holding Bitcoin (BTC) or any other cryptocurrency might be an easy thing to do, but it does require a great level of vigilance to ensure you don’t lose them to cyber-scams. Hackers are becoming a big threat to the growth and development of the crypto industry. Today, a Bitcoin investor reportedly lost about US$50,000 life saving to hackers in a recent Ledger wallet attack.

Ledger Phishing Scam

Ledger is one of the biggest hardware wallet providers for storing cryptocurrencies offline. About a month ago, the company’s marketing/sales database was breached by hackers, exposing the customers’ contact information to the bad actors. This allowed the attackers to unauthorizedly send false and malicious messages to the wallets users’ who gave Ledger their contact details before the database was breached.

Part of the phishing message sent to Ledger users reads: “Our forensics team has found several of the Ledger Live administrative servers to be infected with malware.” While the message looked professional, the content was false. A few customers were able to spot the attack and raised an alarm. However, the attackers recently changed the content of the message, telling customers that their wallet has been disabled due to know-your-customer (KYC) regulation.

US$50,000 in Bitcoin Gone!

As Brad Mills tweeted on Tuesday, the recent message tricked the Bitcoin investor into sending his life savings to the Ledger phishing scammers. According to Mills, Bitcoin investors must be extra vigilant to overcome social engineering hacks, not just being your own bank. One other proven approach all crypto investors must know is not to input their wallet key phrase in any link or website if they must avoid losing their funds in crypto.

Those key phrases are to be directly entered on the wallets, in this case, the Ledger device.