Crooks impersonate MetaMask to target crypto investors on Microsoft
A credential phishing attack that spoofed popular crypto wallet MetaMask to bypass Microsoft 365 defenses has been detected by cyber watchdog Armorblox.
The social engineering scam took the form of an email purporting to be from the crypto app’s support team, which urged the unwary to click on a bogus link so the victim could, ironically, run a know-your-customer (KYC) security check.
Titled “Re: [Request Updated] Ticket: 6093-57089-857” and sent from [email protected], the scam completed its devious facade by using realistic brand imagery associated with MetaMask, which was recently estimated to have 21 million users a month.
Upon clicking on a button marked “verify your wallet,” victims were taken to a landing page set up by cybercriminals that harvested the credentials they entered to confirm the phony “due diligence” check.
“The email body spoofed a KYC verification request, and claimed that not complying with regulations would result in restricted access to the MetaMask wallet,” said Armorblox, detailing a classic social engineering tactic that puts a victim under pressure in the hope that they will not think clearly before acting.
“Even though attackers sent this email from an invalid domain, the threat still bypassed Microsoft email security,” it added. “This socially engineered attack impersonated a well-known brand, designed to create a sense of trust in the end user. In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence.”
The scam used cybersecurity-style language and “even reminded victims to make sure his or her passphrase is always protected, and to double check that nobody is watching.” It also featured HTML formatting and disclaimers similar to the real MetaMask to complete the illusion, blindsiding victims to one crucial fact – the company does not ask for KYC verification.
“It’s language like this that can evoke trust, one of the primary goals of the attacks,” said Armorblox. “If victims fell for this attack, they would have entered their passphrase credentials, sensitive information that attacks were aiming to exfiltrate.”
Armorblox did not specify how many potential victims the scam might have claimed, but urged computer users to scrutinize the email address and language used in unsolicited messages, adopt multifactor authentication, and avoid cross-sharing passwords between accounts and websites.
More from Cybernews:
Subscribe to our newsletter