As the popularity of cryptocurrencies continues to grow, so does the prevalence of phishing attacks targeting crypto wallet holders. Recently, a new MetaMask phishing site has been identified using Typeform to redirect domains and steal crypto wallet seed phrases.
The campaign is the alternative to the 2022 campaigns, where threat actors used Android and iOS applications to target MetaMask users.
On April 19, 2022, during their Open-Source Intelligence (OSINT) research, Cyble Research Labs came across several phishing sites distributing malware targeting the MetaMask application.
MetaMask, a well-known digital currency wallet, integrates with the Ethereum Blockchain, enabling users to reach their Ethereum wallets via a web browser or mobile application. The same campaigns seem to have returned yet again, but the perpetrators now use websites instead of mobile applications.
The Cyber Express has reached out to MetaMask to comment on the incident and is yet to receive a response.
MetaMask phishing attacks: What you need to know!
New MetaMask phishing site is abusing Typeform to redirect domains and steal crypto wallet seed phrases.
/metamaskvalidator.com -> /s3mjwck3sdj.typeform[.]com/@typeform #phishing @Ax_Sharma @MetaMaskSupport @BleepinComputer @LawrenceAbrams pic.twitter.com/PVKoFNZWR6
— Dominic Alvieri (@AlvieriD) February 13, 2023
One of the most critical things to remember when protecting your crypto assets is to refrain from entering your Secret Recovery Phrase on a website. This information can be used to access your crypto wallet and steal your funds.
During previous campaigns, the threat actor targeted Android and iOS MetaMask users and stole seed phrases from the victim’s device.
A seed phrase is crucial for accessing a digital currency wallet. However, cyber attackers, can access the victim’s MetaMask account and purloin various cryptocurrencies by stealing the seed phrase. The malware used in the campaign was designed to steal cryptocurrency and specifically target crypto users.
In April 2022, Cyble Research Labs observed that the malicious package was hosted on over ten phishing sites.
During the attack process, a user may receive unsolicited messages or emails containing a phishing URL. If the user clicks on the URL, they might be directed to a page that appears authentic to a legitimate MetaMask website, despite being part of a phishing attempt.
The phishing site uses the icon and name of the MetaMask wallet and copies the UI of the genuine Metamask website to trick the user.
After thoroughly examining the phishing website, the researchers discovered that the Threat Actors (TAs) had altered the URL of the “Download now” button, which initiated the download of the malicious package.
Despite this, other features, such as support, controls, etc., on the phishing site remain unchanged and resemble those of the legitimate MetaMask site, successfully deceiving unsuspecting victims.
When users interact with the ‘Download’ button, they are redirected to the download options page, where they can download the app for iOS, Chrome, and Android.
Fast forward to February 2023, the campaign is back and is continuously looking for new victims.
Don’t trust anyone who sends you a direct message, and NEVER give your Secret Recovery Phrase to anyone or enter it into any site! For support, open MetaMask and navigate to “Support” or “Get Help” within the dropdown menu.
— MetaMask Support (@MetaMaskSupport) February 13, 2023
“Don’t trust anyone who sends you a direct message, and NEVER gives your Secret Recovery Phrase to anyone or enter it into any site! For support, open MetaMask and navigate to “Support” or “Get Help” within the dropdown menu,” read a response by MetaMask Support to a tweet by cybersecurity analyst Dominic Alvieri.
MetaMask phishing attacks: the rise of crypto hackers
Phishing attacks have become a severe threat to the security of crypto wallet holders, and it is crucial to take proactive measures to protect your assets. One way to do this is by regularly checking your wallet for unauthorized activity.
If you notice any suspicious activity, you should take immediate steps to secure your account, such as changing your password, enabling two-factor authentication, or even transferring your funds to a new wallet.
Enabling two-factor authentication is another critical step in protecting your crypto assets. This involves using a second verification form, such as a code sent to your phone, to confirm your identity before logging into your account.
Two-factor authentication adds an extra layer of security and makes it more difficult for attackers to access your account.
Using a hardware wallet to store your funds is another recommended practice for protecting your crypto assets. Hardware wallets are physical devices that keep your private keys and require manual confirmation before any transactions occur.
This makes it much more difficult for attackers to gain access to your funds, as they would need physical access to your device.
Phishing attacks threaten crypto wallet holders’ security severely. It is essential always to be vigilant and take steps to protect your assets. This includes:
- Never entering your Secret Recovery Phrase on a website.
- Regularly checking your wallet for unauthorized activity.
- Enabling two-factor authentication.
- Using a hardware wallet to store your funds.
By staying informed and taking proactive measures to protect your crypto assets, you can help safeguard against potential attacks and ensure that your investments remain secure.
