www.armorblox.com Open in urlscan Pro
2a05:d014:275:cb00:ec0d:12e2:df27:aa60  Public Scan

Form analysis
2 forms found in the DOM

<form id="mktoForm_1082" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" data-styles-ready="true" __bizdiag="2048253403" __biza="W___">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
      color: #fff;
      border: 1px solid #75ae4c;
      padding: 0.4em 1em;
      font-size: 1em;
      background-color: #99c47c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
      background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
      background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
      background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
      outline: none;
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
      background-color: #75ae4c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
      background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
      background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
      background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol">
      <div class="mktoOffset"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
          <div class="mktoAsterix">*</div>Email:
        </label>
        <div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"
          data-personalize-email="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple"><button type="submit" class="mktoButton" data-personalize-button="true">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="1082"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="176-XMJ-030">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
  __bizdiag="-728558223" __biza="W___"></form>

Text Content

Free risk assessment
 * Product
    * Overview
    * Product Tour
    * Integrations

 * Solutions
   By Use Case
    * Business Email Compromise
    * Email Account Compromise
    * Executive Phishing
    * Data Loss Prevention
    * Abuse Mailbox Remediation
   
   By Platform
    * Microsoft Office 365
    * Google Workspace
    * Secure Email Gateway Augmentation
   
   By Industry
    * Financial Services
    * Education
    * Healthcare

 * Customers
 * Learn
    * Analyst Validation
    * Learning Center
    * Resources
    * Blog

 * Company
    * About Us
    * News
    * Careers

Free risk assessment
Back



GOT YOUR KEYS, PHONE, AND … WALLET? METAMASK CRYPTO WALLET PHISHING ATTACK

Written by Lauryn Cash
Threat Research / 6.23.22

In today’s Blox Tale, we will look at a credential phishing attack that spoofs
MetaMask, one of the most widely used crypto applications in the world allowing
users to store and swap cryptocurrencies, interact with blockchain, and host
dApps. This email attack looked like a MetaMask verification email; however,
when victims clicked the link he or she was taken to a spoofed MetaMask
verification page.

--------------------------------------------------------------------------------


SUMMARY

Target: This email attack targeted multiple organizations across the financial
industry.

Email security bypassed: Microsoft Office 365

Techniques used: social engineering, brand impersonation, spoofed landing page


THE EMAIL

The socially engineered email was titled ‘Re: [Request Updated] Ticket:
6093-57089-857’ and looked to be sent from MetaMask support email:
support@metamask.as. The email body spoofed a Know Your Customer (KYC)
verification request and claimed that not complying with KYC regulations would
result in restricted access to MetaMask wallet.

The email prompted the victim to click the ‘Verify your Wallet’ button to
complete the wallet verification. A snapshot of the email is shown below:



Fig 1: Fake KYC verification for crypto wallet email spoofing MetaMask

The bad actors utilized urgency within the body of this email in order to trick
the victims into complying with the request, as well as mimicked a well-known
brand to gain the victim’s trust in the email legitimately being sent from
MetaMask support team.


THE PHISHING PAGE

Upon clicking the “Verify your Wallet” button, within the email, the victim was
redirected to a fake landing page - one that closely resembled a legitimate
MetaMask verification page. The victim was prompted to enter his or her
Passphrase in order to comply with KYC regulations and to continue the use of
MetaMask service. Attackers utilized MetaMask branding, logo, and referenced
Passphrase credentials - of which all are associated with the legitimate
MetaMask brand. This look-a-like page could easily fool unsuspecting victims,
especially those who do not realize that MetaMask does not ask users to comply
with KYC regulations.



Fig 2: Link in email leads to fake MetaMask verification landing page

The language on the fake landing page even reminded victims to make sure his or
her passphrase is always protected and to double-check that nobody is watching.
It’s language like this that can evoke trust, one of the primary goals of the
attacks. If victims fell for this attack, they would have entered their
passphrase credentials, sensitive information that attacks were aiming to
exfiltrate through this email attack.


ATTACK FLOW

The socially engineered email contained a link to a fake landing page. Even
though attackers sent this email from an invalid domain, the threat still
bypassed Microsoft email security.

This socially engineered attack impersonated a well-known brand, designed to
create a sense of trust in the end-user. Each further engagement through the
attack flow further aimed to increase this trust through legitimate logo
inclusions, branding, and key attributes that are only affiliated with the
spoofed brand. In order to get the victim to comply with the request and
exfiltrate sensitive data, attackers included language within both the body of
the email and the fake landing page that denoted a sense of urgency, making it
known that time was of the essence.



--------------------------------------------------------------------------------


RECAP OF TECHNIQUES USED

This email attack employed a gamut of techniques to get past traditional email
security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense
of trust and urgency in the victims. Trust was induced by impersonating a
well-known brand (MetaMask) and a sense of urgency through the language used
within both the email and the fake landing page. The context of this attack also
leverages the curiosity effect, which is a cognitive bias that refers to our
innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email has HTML stylings and content disclaimers similar
to MetaMask branding. Although MetaMask does not require KYC verification, the
colors and branding elements used within both the email and landing pages are
close enough to compromise an end-user.

--------------------------------------------------------------------------------


GUIDANCE AND RECOMMENDATIONS

1. Augment native email security with additional controls

The email highlighted in this blog got past native email security. For better
protection and coverage against email attacks (whether they’re spear phishing,
business email compromise, or credential phishing attacks like this one),
organizations should augment built-in email security with layers that take a
materially different approach to threat detection. Gartner’s Market Guide for
Email Security covers new approaches that vendors brought to market in 2021 as
well as Armorblox highlights this in the 2022 Email Security Threat Report, and
should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained
to quickly execute their requested actions. It’s much easier said than done but
engage with these emails in a rational and methodical manner whenever possible.
Subject the email to an eye test that includes inspecting the sender name,
sender email address, the language within the email, and any logical
inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the
impact of credentials being exfiltrated:

 1. Deploy multi-factor authentication (MFA) on all possible business and
    personal accounts.
 2. Don’t use the same password on multiple sites/accounts.
 3. Use password management software like LastPass or 1password to store your
    account passwords.

--------------------------------------------------------------------------------


LEARN HOW ARMORBLOX PROTECTS YOUR ORGANIZATION FROM PHISHING ATTACKS.

Take Product Tour


ARMORBLOGS

Blogs from Armorblox. We couldn't resist the portmanteau.

*
Email:




Subscribe
Follow Us


--------------------------------------------------------------------------------


READ THIS NEXT


A POINTED SPOOF: PROOFPOINT CREDENTIAL PHISHING

Threat Research / 11.4.21


LEAVE YOUR MESSAGE AFTER THE BEEP: WHATSAPP VOICEMAIL PHISHING ATTACK FROM
RUSSIA

Threat Research / 4.4.22


THE EMAIL BAIT … AND PHISH: META INSTAGRAM PHISHING ATTACK

Threat Research / 3.16.22


BLOX TALES: PLEASE SIGN ON THE DOTTED LINE - DOCUSIGN PHISHING ATTACK

Threat Research / 2.24.22


FBI 2020 IC3 REPORT FINDINGS: BEC AND EAC LOSSES CONTINUE TO RISE

News and Commentary / 3.19.21


VERIZON DBIR 2021 FINDINGS: EMAIL (STILL) HOLDS THE KEYS TO THE KINGDOM

News and Commentary / 5.19.21

Armorblox secures enterprise communications over email and other cloud office
applications with the power of Natural Language Understanding. The Armorblox
platform connects over APIs and analyzes thousands of signals to understand the
context of communications and protect people and data from compromise. Over
58,000 organizations use Armorblox to stop BEC and targeted phishing attacks,
protect sensitive PII and PCI, and automate remediation of user-reported email
threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a
2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is
headquartered in Sunnyvale, CA and backed by General Catalyst and Next47.

 * Product
   * Overview
   * Product Tour
   * Integrations
 * Solutions
   * Business Email Compromise
   * Email Account Compromise
   * Executive Phishing
   * Email Data Loss Prevention
   * Abuse Mailbox Remediation
 * Armorblox
   * Customers
   * Resources
   * Blog
 * Company
   * About Us
   * News
   * Careers
   * Contact Support

--------------------------------------------------------------------------------

© 2022 Armorblox. All Rights Reserved. Privacy Policy.


--------------------------------------------------------------------------------

Cookie Settings