A phishing campaign targeting users of the MetaMask software cryptocurrency wallet is attempting to steal account credentials.
Detailed today by researchers at Armorblox Inc., the phishing emails target Microsoft Office 365 customers, particularly in organizations across the financial industry. The emails used in the campaign look like a MetaMask verification email.
The socially engineered emails were titled ‘Re: [Request Updated] Ticket: 6093-57089-857’ and looked to be sent from a MetaMask support email: firstname.lastname@example.org. The email body spoofed a Know Your Customer verification request and claimed that not complying with KYC regulations would result in restricted access to the MetaMask wallet.
The email prompted victims to click the ‘Verify your Wallet’ button to complete the wallet verification. Those behind the campaign utilized urgency in the email to trick the victims into complying with the request.
Upon clicking on the link in the email, users are taken to a fake landing page that closely resembles the legitimate MetaMask verification page. The victims are asked to enter their passphrase to comply with KYC regulations and to continue using MeteMask.
The fake “look-alike” page utilizes MetMask’s branding, logo and referenced passphrase credentials, all of which are associated with the actual site. The language on the fake landing page also reminded victims to ensure their passphrase is always protected and to ensure that nobody is watching. The researchers note that “it’s language like this that can evoke trust, one of the primary goals of the attacks.”
Suffice to say, if the victims entered their details, their MetaMask accounts were then compromised.
The researchers recommend augmenting native email security with additional controls as the MetaMask phishing emails got past native email security. Organizations should augment built-in email security with layers that take a different approach to threat detection.
Emails users should also engage with emails rationally and methodically whenever possible. Subject the email to an eye test, including sender name, email address and language in the email, and look for any logical inconsistencies.
The researchers also recommend using multifactor authentication and password management best practices. This includes not using the same passport on multiple sites and accounts and using a password manager to store account passwords.