Si Vis Pacem, Para Bellum: Exploring MetaMask Phishing

Published in

ChainLight Blog & Research

9 min readApr 3, 2023

Summary

ChainLight has approached and investigated attackers posting fraudulent tweets targeting the victims of a prior scam, subjecting them to further financial damage. A typical method of such an attack involves sending emails to victims, luring them into their own phishing websites by convincing them victim that they have a way to recover lost funds. Unlike a well-known phishing method that prompts users to enter a mnemonic, these attackers used a method that induces users to sign a malicious transaction with the eth_sign method. The fraud seemed to be highly sophisticated; not only did they seem to reply to each email individually, but they also used a relatively obscure phishing method not very well-known to typical users. In this article, we will explore a new type of phishing attack, examine how the Web3 community is responding to it, and discuss how individuals participating in the ecosystem should be prepared.

Background

About crypto phishing

Phishing refers to a type of fraud deceiving users into giving away sensitive information, typically after capturing the user’s trust by impersonating a well-known service, brand, or institution. Phishing is particularly prevalent in the cryptocurrency ecosystem, likely due to the following factors:

Users are directly responsible for managing their assets
Unfriendly UX
Lack of awareness of information security
Ease of money laundering

It is quite challenging for users to protect themselves from attacks because users are fully responsible for their assets, and the UX is usually not very user-friendly. Also, the inherent friendliness to money laundering of many blockchains lowers the chance of penalty due to phishing attacks.

Tracing Malicious Activity

We found a suspicious account that quoted one of our tweets. Below is the content of the quote tweet from the account:

“I’ve had a similar issue Contact their support team directly, send ’em a mail *@gmail.com, they’ll assist you.”

Our tweet was about our discovery of scam sites for Gitcoin and Lido Finance, warning users to be careful about it when connecting wallets. The suspicious Twitter account quoted our tweet and posted the above message.

Exploring the scammer's account

The account appeared to be automated, posting similar tweets continuously. At this point, we decided to cast a bait to figure out if the user was actually malicious.

First, we sent a message to the email address mentioned by the suspicious user, claiming that we had been hacked.

Then, 6 hours later, we received an email from someone claiming to be MetaMask Support.

It asked us to provide the wallet address in order to identify the problem, offering to find a “solution.”

We replied with an account address that would appear legitimate to them. The email reply speed seemed to imply that they were responding manually and possibly even validating the address we sent them; thus, we tried to dodge suspicion by sending a random Ethereum account with a large balance

After providing the wallet address, the email reply was faster than before. They said they were working to recover stolen assets and to perform this task, and we needed to connect our wallet on the restore page within the provided website. They kindly explained how to “find the assets.”

The steps they provided were as follows:

Go to the settings of your Metamask wallet, navigate to “advanced”, then ensure the “toggle eth_sign requests” option of your wallet is turned on.
Open the link to our restore page on your Mobile phone browser (i.e android or IOS) (this process cannot be initiated from a laptop browser or Metamask chrome extension) and connect your Metamask wallet as provided to our support.
Click on “restore wallet” as displayed on the home menu of your Metamask wallet
Sign and approve the following prompts which appear on your screen to authorize Metamask to run the auto-reboot protocol in your wallet.

The first requirement they demanded was to turn on the “toggle eth_sign requests” option in MetaMask’s Advanced Settings page, which allows the Dapp to take over the connected wallet.

Test

If this feature is turned on, how will the website react when an eth_sign request occurs? Let us test this using the Test-dapp site created by MetaMask.

Toggle disabled

First, connect the wallet using the connect wallet button, and try signing with the Eth Sign button.

An alert warning will appear stating that eth_sign is disabled and must be enabled through Advanced Settings. The MetaMask extension did not respond.

Toggle enabled

When the toggle is enabled, a signature request message is displayed, and another warning message is displayed after clicking the sign button. The warning states that by signing, you are handing over full control of your account to the Test-dapp, which may put your assets at risk. By signing the request above, you are granting Test-dapp access to the assets in your account.

What happens if we ignore it and continue with the signing process?

The website will display the result, and the eth_sign signature will be authorized.

Now that we have tried it on the Test-dapp, let us try it on the scam site in the email from the attacker. Since we have “toggle eth_sign requests” enabled, the website will display a warning message.

Let us click the “Restore Wallet” button they asked for.

The permission request dialog appears immediately after trying to connect the wallet, with the same warning message as before. Users who have already been robbed of large amounts of assets may be tempted to ignore this warning, with the hope of the possibility of having the funds returned; nevertheless, the user should always read the warning message carefully and be mindful of potential risks.

Test — Mobile version

Let us try to access the website on mobile as requested in item 2 of the email and interact with MetaMask.

The “toggle eth_sign requests” feature is also available on the mobile version of MetaMask, so we tested connecting the wallet after enabling this feature.

As expected, we can see MetaMask’s warning message. Users need to pay attention to the warnings in MetaMask to avoid scams. MetaMask sees constant improvement in areas where many users have been victimized, or are likely to be harmed, with the participation of other users, as well as the MetaMask team itself. Please keep this in mind when using the features in MetaMask. It is easy to find discussions on the MetaMask community or Github about new features and improvements to MetaMask. For more information, refer to the websites below:

MetaMask Github: https://github.com/MetaMask
MetaMask Community: https://community.MetaMask.io

Si vis pacem, para bellum

The Latin phrase ‘Si vis pacem, para bellum,’ which means ‘If you want peace, prepare for war,’ highlights the importance of being prepared. As demonstrated in the movie John Wick 3, being prepared can be the difference between life and death.

Currently, if you enable the eth_sign toggle on MetaMask installed as a web extension on your desktop and then interact with a Dapp, you will see a warning about eth_sign, but until just last month, the mobile version did not display the same alert as the desktop version. One user wrote about his experience on the MetaMask community, saying that this issue nearly put his assets at risk.

To protect users, the discussion on GitHub suggests that the toggle for eth_sign should be disabled by default, and users should be able to toggle it on and off; on the other hand, if eth_sign becomes necessary, the UI/UX should be designed so that it can be set in settings.

As you can see, showing warnings and setting a disabled default for the eth_sign toggle were not among the features that were implemented from day one were added after-the-fact due to user requests and suggestions. When users realized the number of scammers and the risky situations they were in, they voluntarily made suggestions to MetaMask, which accepted and incorporated them into the software.

ChainLight Contributing to the Web3 Ecosystem

ChainLight is also a Smart contract audit firm that actively contributes to the ecosystem by identifying Smart contracts with potential risks and notifying the corresponding projects.

In Korea, it is essential for the interaction between exchanges and external wallets to comply with Travel Rule when sending and receiving funds. ChainLight has also launched a campaign to raise awareness of scams using MetaMask in collaboration with UPbit, the largest exchange in Korea.

Tweet from MetaMask employee quoting ChainLight’s Medium post

MetaMask employee @tayvano_ referenced ChainLight’s Medium article to demand attention from the community and posted a tweet about the escalation of fraudulent user behavior to scam users using the eth_sign feature is no longer supported by default in MetaMask.

As blockchain is a decentralized space that develops through the voluntary participation of users, ChainLight will continue to take one step ahead for a healthy ecosystem in the future.

Conclusions

We have learned about the methods and stages of how attackers target victims, starting with scam tweets. A suspicious Twitter user quoted our scam alert tweet to generate more victims. When using MetaMask, make sure the eth_sign toggle is disabled. If you were a victim of a scam, make sure not to access the website that tries to lure you in with their “asset recovery” solutions.

What happens in Web3 is not easily reversible. We hope that users will be aware of the risks mentioned in this article and stay safe in the Web3 ecosystem. We will continue to post updates on malicious actors that threaten user safety through our blog in the future.

Reference

✨ We are ChainLight!

ChainLight explores new and effective blockchain security technologies with rich practical experience and deep technical understanding. Our innovative security audits built upon such research proactively identify and eliminate various security risks and vulnerabilities in the Web3 ecosystem. To ensure continuous security even after the audit, we provide a digital asset risk management solution using on-chain data monitoring and automated vulnerability detection services.

ChainLight serves to guide and protect all users of decentralized services, lighting the way for a safer Web3 ecosystem.

Want to see more from the ChainLight? 👉 Check out our Twitter account.

🌐 Website: chainlight.io | 📩 TG: @chainlight | 📧 chainlight@theori.io