Researchers have identified a credential phishing attack that spoofs MetaMask, one of the most widely used crypto applications that allows users to store and exchange cryptocurrencies, interact with the blockchain, and… to host dApps, which are built on a decentralized network backed by a blockchain distributed ledger.
In a June 23 blog post, Armorblox researchers said that by bypassing Microsoft Office 365, this email attack targeted several financial industry organizations.
Researchers said the email attack resembled a MetaMask verification email. However, when victims clicked on the link, they were redirected to a spoofed MetaMask verification page. The body of the email spoofed a request to verify your client’s knowledge and claimed that failure to do so will result in restricted access to the MetaMask wallet. The email tricked the victim into clicking the “Verify your wallet” button to complete the wallet verification, but they were then sent to a fake landing page where they were asked to provide their credentials , thereby tricking unsuspecting victims.
With this type of scam, crypto wallet companies are impersonated by crooks to gain access to the private information needed to gain access to a customer’s crypto wallet, explained Ryan McCurdy, vice president of marketing at Bolster, Inc. McCurdy said. stated that these sites appear legit using a specific company. names and logos and usually contain the company name in the domain. They ask for details, such as a client’s keystore file, wallet password, mnemonic phrase, wallet address, BIP39/BIP44 recovery phrase, and private key – basically all the information a scammer needs to empty a victim’s crypto wallet in the blink of an eye. eye.
“Often a phishing email will be sent to customers who are spoofing these holding companies,” McCurdy said. “These phishing emails make various claims regarding data breaches, missing information, update information and incorrect transactions to direct customers to these fraudulent sites. As with most phishing emails, urgency is created, giving modest targets little time to think before visiting these sites and disclosing their private information. And beware, we have observed these types of scams targeting not only the most well-known crypto wallet companies, but also the lesser-known ones.
John Bambenek, principal threat hunter at Netenrich, added that there is a notion that cryptocurrency is modern and decentralized. Bambenek said that in reality, cryptocurrency is 100 years behind financial institutions in consumer protection, and it is radically centralized.
“There are exceptionally few places to trade cryptocurrency for the conventional user, which facilitates phishing and fraud,” Bambenek said. “It has been a boon for cybercrime and cybercriminals and will remain so for some time.”
Hank Schless, senior director of security solutions at Lookout, said that as cryptocurrency is a newer technology, it provides threat actors with an opportunity to create targets for social engineering. Schless said crypto investors are always looking for an edge in the market or what is the next big currency that will explode in value. Attackers can use this thirst for information to trick users into downloading malicious apps or sharing login credentials for legitimate trading platforms they use. Schless said the attacker could then use the malicious app to exfiltrate additional data from the device they’re on or take the login credentials they stole and try them on any number of devices. cloud applications used for both work and personal life.
“Crypto platform providers need to ensure that their employees are protected and don’t become conduits for cybercriminals to break into the infrastructure,” Schless said. “Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal behind-the-scenes access to corporate infrastructure. The risk of this happening can be reduced by implementing a powerful combination of a unified mobile threat defense solution and cloud access security broker that can protect the user on the device and recognize activity. abnormal indicating a compromised employee account.