Halborn, a blockchain security firm based in Miami, Florida, recently disclosed and issued a set of warnings and guidelines to mitigate what they identified as a new phishing campaign, which specifically targeted MetaMask users.
Fresh off of a $90 million Series A funding round, Halborn provides blockchain security infrastructure and analytics for crypto and Web3 firms. According to a report from Halborn, the active phishing campaign utilized emails and sent these malicious messages to a number of current and active MetaMask users through social engineering, a type of attack vector that tricks people into giving up confidential information or access to systems. The campaign uses a fake version of the MetaMask extension in an attempt to steal user’s private keys, mnemonic phrases, and other sensitive data.
MetaMask has worked in the past before with Halborn, with a case resolved in June after a previous security notice from Halborn which identified a MetaMask user's private keys found on an unencrypted disk. The security report was responded to with a patch from MetaMask for version 10.11.3 moving forward. Previous iterations of new malware were also found in late July. This malware, called Luca Stealer, was written in Rust, targeting Web3 infrastructure. Mars Stealer, Another malware which specifically targeted MetaMask, was also discovered earlier in February.
Halborn discovered that the phishing campaign was active after its analysis of scam emails received in July this year. The emails appeared to be authentic with the branding and logomark of MetaMask, asking users to comply with Know Your Customer (KYC) procedures and verify their wallets. Errors such as spelling and obviously fake email addresses were also noted, with a fake domain even making it through the emails.
Current security for emails often have spam filtering and phishing detection algorithms, but these can be reverse-engineered by creating false identities and marking domains with similar-sounding or similarly spelled names. Since these email messages were able to bypass standard security measures, it is likely that the cybercriminals behind this campaign have a more sophisticated understanding of social engineering.
The attacks were launched through links in the emails, which redirected unwary users to a bogus MetaMask login page. According to Halborn, these bogus pages directly asked users to provide their seed phrases, hence giving the threat actors unauthorized access to a user's wallet.
Phishing scams and other kinds of hacks have proliferated across the crypto space in the last few years, with a number of high-profile DeFi protocols, exchanges, and wallets being targeted. Another hallmark of phishing scams, according to Halborn, is that there is no personalization within the message, which is to say, a recipient is not called their actual registered name. Malicious links are often also revealed through a desktop browser by hovering a cursor over the call to action button. Halborn has advised all MetaMask users to be extra vigilant when clicking on links in emails, even if they appear to come from a trusted source.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.