Got your Keys, Phone, and … Wallet? MetaMask Crypto Wallet Phishing Attack

In today’s Blox Tale, we will look at a credential phishing attack that spoofs MetaMask, one of the most widely used crypto applications in the world allowing users to store and swap cryptocurrencies, interact with blockchain, and host dApps. This email attack looked like a MetaMask verification email; however, when victims clicked the link he or she was taken to a spoofed MetaMask verification page.

Summary

Target: This email attack targeted multiple organizations across the financial industry.

Email security bypassed: Microsoft Office 365

Techniques used: social engineering, brand impersonation, spoofed landing page

The Email

The socially engineered email was titled ‘Re: [Request Updated] Ticket: 6093-57089-857’ and looked to be sent from MetaMask support email: support@metamask.as. The email body spoofed a Know Your Customer (KYC) verification request and claimed that not complying with KYC regulations would result in restricted access to MetaMask wallet.

The email prompted the victim to click the ‘Verify your Wallet’ button to complete the wallet verification. A snapshot of the email is shown below:

The bad actors utilized urgency within the body of this email in order to trick the victims into complying with the request, as well as mimicked a well-known brand to gain the victim’s trust in the email legitimately being sent from MetaMask support team.

The Phishing Page

Upon clicking the “Verify your Wallet” button, within the email, the victim was redirected to a fake landing page - one that closely resembled a legitimate MetaMask verification page. The victim was prompted to enter his or her Passphrase in order to comply with KYC regulations and to continue the use of MetaMask service. Attackers utilized MetaMask branding, logo, and referenced Passphrase credentials - of which all are associated with the legitimate MetaMask brand. This look-a-like page could easily fool unsuspecting victims, especially those who do not realize that MetaMask does not ask users to comply with KYC regulations.

The language on the fake landing page even reminded victims to make sure his or her passphrase is always protected and to double-check that nobody is watching. It’s language like this that can evoke trust, one of the primary goals of the attacks. If victims fell for this attack, they would have entered their passphrase credentials, sensitive information that attacks were aiming to exfiltrate through this email attack.

Attack Flow

The socially engineered email contained a link to a fake landing page. Even though attackers sent this email from an invalid domain, the threat still bypassed Microsoft email security.

This socially engineered attack impersonated a well-known brand, designed to create a sense of trust in the end-user. Each further engagement through the attack flow further aimed to increase this trust through legitimate logo inclusions, branding, and key attributes that are only affiliated with the spoofed brand. In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (MetaMask) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email has HTML stylings and content disclaimers similar to MetaMask branding. Although MetaMask does not require KYC verification, the colors and branding elements used within both the email and landing pages are close enough to compromise an end-user.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:

1. Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
2. Don’t use the same password on multiple sites/accounts.
3. Use password management software like LastPass or 1password to store your account passwords.

Learn how Armorblox protects your organization from phishing attacks.