Email security, Threat Management

Credential phishing attack spoofs cryptocurrency app MetaMask, targets financial industry

A credential-phishing attack spoofing crypto application MetaMask has been targeting the financial industry. Pictured: Workers prepare a presentation of advanced email at the CeBIT 2012 technology trade fair on March 5, 2012, in Hanover, Germany. (Photo by Sean Gallup/Getty Images)

Researchers identified a credential-phishing attack that spoofs MetaMask, one of the most widely used crypto applications that lets users store and swap cryptocurrencies, interact with blockchain, and host dApps, which are built on a decentralized network supported by a blockchain distributed ledger.

In a June 23 blog post, Armorblox researchers said in bypassing Microsoft Office 365, this email attack targeted multiple organizations across the financial industry.

The researchers said the email attack looked like a MetaMask verification email. However, when victims clicked the link they were taken to a spoofed MetaMask verification page. The email body spoofed a know-your-customer verification request and claimed that not complying would result in restricted access to MetaMask wallet. The email prompted the victim to click the “Verify your Wallet” button to complete the wallet verification, but they were then sent to a fake landing page where they were asked to provide their credentials, fooling unsuspecting victims.

With this type of scam, crypto wallet companies are impersonated by scammers to gain access to private information needed to access a customer’s crypto wallet, explained Ryan McCurdy, vice president of marketing at Bolster, Inc. McCurdy said these sites appear legitimate by using specific company names and logos and usually contain the company name in the domain. They ask for details, such as a customer’s keystore file, wallet password, mnemonic phrase, wallet address, BIP39/BIP44 recovery phrase, and private key — basically all the information needed for a scammer to empty a victim’s crypto wallet in the blink of an eye.

“Often, a phishing email will be sent to customers who spoof these wallet companies,” McCurdy said. “These phishing emails make various claims about data breaches, missing information, updating information, and incorrect transactions to direct customers to these fraudulent sites. As with most phishing emails, urgency is created leaving unassuming targets little time to think before visiting these sites and giving away their private information. And beware, we’ve observed these types of scams targeting not only the more well-known crypto wallet companies, but also the lesser well-known.”

John Bambenek, principal threat hunter at Netenrich, added that there’s a notion that cryptocurrency is modern and decentralized. Bambenek said in reality, cryptocurrency is 100 years behind financial institutions on consumer protection, and it’s radically centralized.

“There are exceptionally few places to exchange cryptocurrency for the conventional user, which makes it easy to phish and defraud,” Bambenek said. “It has been a boon to cybercrime and cybercriminals and will remain so for some time.”

Hank Schless, senior manager, security Solutions at Lookout, said because cryptocurrency is a newer technology, it offers an opportunity for threat actors to socially engineer targets. Schless said crypto investors are continuously looking for an edge in the market or what the next big currency that’s going to explode in value. Attackers can use this thirst for information to get users to download malicious apps or share login credentials for legitimate trading platforms they use. Schless said the attacker could then use the malicious app to exfiltrate additional data from the device it’s on or take the login credentials they’ve stolen and try them across any number of cloud apps used for both work and personal life. 

“Crypto platform providers need to ensure that their employees are protected and don’t become conduits for cybercriminals to make their way into the infrastructure,” Schless said. “Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal a backstage pass to the company’s infrastructure. The risk of this happening can be reduced by implementing a powerful combination of a unified mobile threat defense and cloud access security broker solution that can protect the user on the endpoint and recognize anomalous activity indicative of a compromised employee account.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.