Phishing Scam Targeting MetaMask Crypto Wallet Holders Nets $650,000; Default Settings Stored Seed Phrases in iCloud
Written by SCOTT IKEDA
Published at 4/22/2022, 10:09:00 PM
MetaMask, a popular crypto wallet app, is being targeted due to a design flaw on iOS. A phishing scam that involves a call that appears to come from Apple is able to drain MetaMask wallets by way of a default setting that could definitely be called a security flaw; the app writes the security seed phrase needed for remote access to iCloud backups unless this aspect is manually disabled.
- Advertisement -
Most popular Ethereum crypto wallet has been writing seed phrases to cloud backups
The MetaMask crypto wallet is the one most commonly used by holders of Ethereum cryptocurrencies; publisher ConsenSys estimates that it had over 30 million active users as of March.
The phishing scam begins with a call that is spoofed to appear to be coming from a legitimate number listed by Apple’s online store. A fake Apple customer service agent tells the recipient that their account has been compromised and that they will be sending a one-time code to the phone to verify that the target is the account owner. Of course, this code is part of a credential reset attempt by the attacker (likely using the iForgot feature).
This alone should not allow an attacker to drain a crypto wallet. But MetaMask has a default setting, apparently unbeknownst to many users, that automatically writes the recovery seed phrase for the wallet to the user’s iCloud backups. With access to the target’s Apple account, the hacker can retrieve the seed phrase and drain the crypto wallet within seconds by using a purpose-built script.
Thus far, only one MetaMask user, Domenic Iacovone, has been verified to be hit by the phishing scam, but it was quite the haul. The target was plundered for a total of $650,000 worth of assets: $250,000 in Tether, $160,000 in ether, $100,000 in Ape Coin, and a Mutant Ape Yacht Club NFT valued at $80,000 among other items.
The 12-word seed phrase is essentially a password that allows holders of wallets a way to re-establish access if they lose it. Needless to say, it’s supposed to be protected as any other important password would be, which includes not writing it in plaintext to documents in cloud storage. Yet this is exactly what the MetaMask app was doing; seed phrases will be written to iCloud automatically unless the user goes into the “Manage Storage” settings and turns off the app’s backup capability.
- Advertisement -
Phishing scam easily defused with a little basic knowledge
Disabling the automatic backup of a crypto wallet’s seed phrase is an important thing to do, of course, but this particular phishing scam can be evaded in an even more simple way: with the knowledge that Apple never calls users to tell them that they believe an account has been breached. Apple has been known to send messages to users that may have been compromised in rare cases, as they did in the case of phones potentially hacked by the Pegasus spyware, but will not “cold call” someone asking for a verification code number. Had the victim known this they could have safely ignored the call.
Nasser Fattah, North America Steering Committee Chair for Shared Assessments, adds: “Often when we backup our iPhones to the cloud, we don’t think of what to exclude in the event our Apple credential is compromised. Backups are often all or nothing. Additionally, there is certain information, like passwords or pins, that should be deemed suspicious when being requested by support staff. When in doubt, or if you’re getting the heebie-jeebies, then it is time to stop engaging with the requester and call the official number of the entity that is asking for one’s sensitive information.”
While this is a relatively easy attack to defuse (as phishing scams go), there are certainly many among MetaMask’s estimated 30 million users that don’t follow tech security news and will not be aware that their seed phrase is sitting in their iCloud account. Security analysts are thus expecting a rash of attacks of this type now that the news is out. MetaMask posted a warning about the default settings to its Twitter account on April 18, but it is not clear if it directly contacted its crypto wallet customers to warn them about the potential phishing scam.