www.armorblox.com
Open in
urlscan Pro
2a05:d014:275:cb00:ec0d:12e2:df27:aa60
Public Scan
Submitted URL: https://www.armorblox.com/blog/metamask-crypto-phishing-attack?utm_medium=newsletter&utm_source=email&utm_campaign=en%2B20...
Effective URL: https://www.armorblox.com/blog/metamask-crypto-phishing-attack/?utm_medium=newsletter&utm_source=email&utm_campaign=en%2B2...
Submission Tags: falconsandbox
Submission: On September 14 via api from US — Scanned from DE
Effective URL: https://www.armorblox.com/blog/metamask-crypto-phishing-attack/?utm_medium=newsletter&utm_source=email&utm_campaign=en%2B2...
Submission Tags: falconsandbox
Submission: On September 14 via api from US — Scanned from DE
Form analysis
2 forms found in the DOM<form id="mktoForm_1082" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" data-styles-ready="true" __bizdiag="2048253403" __biza="W___">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>Email:
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"
data-personalize-email="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple"><button type="submit" class="mktoButton" data-personalize-button="true">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1082"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="176-XMJ-030">
</form>
<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
__bizdiag="-728558223" __biza="W___"></form>
Text Content
Free risk assessment * Product * Overview * Product Tour * Integrations * Solutions By Use Case * Business Email Compromise * Email Account Compromise * Executive Phishing * Data Loss Prevention * Abuse Mailbox Remediation By Platform * Microsoft Office 365 * Google Workspace * Secure Email Gateway Augmentation By Industry * Financial Services * Education * Healthcare * Customers * Learn * Analyst Validation * Learning Center * Resources * Blog * Company * About Us * News * Careers Free risk assessment Back GOT YOUR KEYS, PHONE, AND … WALLET? METAMASK CRYPTO WALLET PHISHING ATTACK Written by Lauryn Cash Threat Research / 6.23.22 In today’s Blox Tale, we will look at a credential phishing attack that spoofs MetaMask, one of the most widely used crypto applications in the world allowing users to store and swap cryptocurrencies, interact with blockchain, and host dApps. This email attack looked like a MetaMask verification email; however, when victims clicked the link he or she was taken to a spoofed MetaMask verification page. -------------------------------------------------------------------------------- SUMMARY Target: This email attack targeted multiple organizations across the financial industry. Email security bypassed: Microsoft Office 365 Techniques used: social engineering, brand impersonation, spoofed landing page THE EMAIL The socially engineered email was titled ‘Re: [Request Updated] Ticket: 6093-57089-857’ and looked to be sent from MetaMask support email: support@metamask.as. The email body spoofed a Know Your Customer (KYC) verification request and claimed that not complying with KYC regulations would result in restricted access to MetaMask wallet. The email prompted the victim to click the ‘Verify your Wallet’ button to complete the wallet verification. A snapshot of the email is shown below: Fig 1: Fake KYC verification for crypto wallet email spoofing MetaMask The bad actors utilized urgency within the body of this email in order to trick the victims into complying with the request, as well as mimicked a well-known brand to gain the victim’s trust in the email legitimately being sent from MetaMask support team. THE PHISHING PAGE Upon clicking the “Verify your Wallet” button, within the email, the victim was redirected to a fake landing page - one that closely resembled a legitimate MetaMask verification page. The victim was prompted to enter his or her Passphrase in order to comply with KYC regulations and to continue the use of MetaMask service. Attackers utilized MetaMask branding, logo, and referenced Passphrase credentials - of which all are associated with the legitimate MetaMask brand. This look-a-like page could easily fool unsuspecting victims, especially those who do not realize that MetaMask does not ask users to comply with KYC regulations. Fig 2: Link in email leads to fake MetaMask verification landing page The language on the fake landing page even reminded victims to make sure his or her passphrase is always protected and to double-check that nobody is watching. It’s language like this that can evoke trust, one of the primary goals of the attacks. If victims fell for this attack, they would have entered their passphrase credentials, sensitive information that attacks were aiming to exfiltrate through this email attack. ATTACK FLOW The socially engineered email contained a link to a fake landing page. Even though attackers sent this email from an invalid domain, the threat still bypassed Microsoft email security. This socially engineered attack impersonated a well-known brand, designed to create a sense of trust in the end-user. Each further engagement through the attack flow further aimed to increase this trust through legitimate logo inclusions, branding, and key attributes that are only affiliated with the spoofed brand. In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence. -------------------------------------------------------------------------------- RECAP OF TECHNIQUES USED This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims. Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (MetaMask) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something. Brand impersonation: The email has HTML stylings and content disclaimers similar to MetaMask branding. Although MetaMask does not require KYC verification, the colors and branding elements used within both the email and landing pages are close enough to compromise an end-user. -------------------------------------------------------------------------------- GUIDANCE AND RECOMMENDATIONS 1. Augment native email security with additional controls The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation. 2. Watch out for social engineering cues Since we get so many emails from service providers, our brains have been trained to quickly execute their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email. 3. Follow multi-factor authentication and password management best practices If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated: 1. Deploy multi-factor authentication (MFA) on all possible business and personal accounts. 2. Don’t use the same password on multiple sites/accounts. 3. Use password management software like LastPass or 1password to store your account passwords. -------------------------------------------------------------------------------- LEARN HOW ARMORBLOX PROTECTS YOUR ORGANIZATION FROM PHISHING ATTACKS. Take Product Tour ARMORBLOGS Blogs from Armorblox. We couldn't resist the portmanteau. * Email: Subscribe Follow Us -------------------------------------------------------------------------------- READ THIS NEXT A POINTED SPOOF: PROOFPOINT CREDENTIAL PHISHING Threat Research / 11.4.21 LEAVE YOUR MESSAGE AFTER THE BEEP: WHATSAPP VOICEMAIL PHISHING ATTACK FROM RUSSIA Threat Research / 4.4.22 THE EMAIL BAIT … AND PHISH: META INSTAGRAM PHISHING ATTACK Threat Research / 3.16.22 BLOX TALES: PLEASE SIGN ON THE DOTTED LINE - DOCUSIGN PHISHING ATTACK Threat Research / 2.24.22 FBI 2020 IC3 REPORT FINDINGS: BEC AND EAC LOSSES CONTINUE TO RISE News and Commentary / 3.19.21 VERIZON DBIR 2021 FINDINGS: EMAIL (STILL) HOLDS THE KEYS TO THE KINGDOM News and Commentary / 5.19.21 Armorblox secures enterprise communications over email and other cloud office applications with the power of Natural Language Understanding. The Armorblox platform connects over APIs and analyzes thousands of signals to understand the context of communications and protect people and data from compromise. Over 58,000 organizations use Armorblox to stop BEC and targeted phishing attacks, protect sensitive PII and PCI, and automate remediation of user-reported email threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a 2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is headquartered in Sunnyvale, CA and backed by General Catalyst and Next47. * Product * Overview * Product Tour * Integrations * Solutions * Business Email Compromise * Email Account Compromise * Executive Phishing * Email Data Loss Prevention * Abuse Mailbox Remediation * Armorblox * Customers * Resources * Blog * Company * About Us * News * Careers * Contact Support -------------------------------------------------------------------------------- © 2022 Armorblox. All Rights Reserved. Privacy Policy. -------------------------------------------------------------------------------- Cookie Settings