Si Vis Pacem, Para Bellum: Exploring MetaMask Phishing
Summary
ChainLight has approached and investigated attackers posting fraudulent tweets targeting the victims of a prior scam, subjecting them to further financial damage. A typical method of such an attack involves sending emails to victims, luring them into their own phishing websites by convincing them victim that they have a way to recover lost funds. Unlike a well-known phishing method that prompts users to enter a mnemonic, these attackers used a method that induces users to sign a malicious transaction with the eth_sign
method. The fraud seemed to be highly sophisticated; not only did they seem to reply to each email individually, but they also used a relatively obscure phishing method not very well-known to typical users. In this article, we will explore a new type of phishing attack, examine how the Web3 community is responding to it, and discuss how individuals participating in the ecosystem should be prepared.
Background
About crypto phishing
Phishing refers to a type of fraud deceiving users into giving away sensitive information, typically after capturing the user’s trust by impersonating a well-known service, brand, or institution. Phishing is particularly prevalent in the cryptocurrency ecosystem, likely due to the following factors:
- Users are directly responsible for managing their assets
- Unfriendly UX
- Lack of awareness of information security
- Ease of money laundering
It is quite challenging for users to protect themselves from attacks because users are fully responsible for their assets, and the UX is usually not very user-friendly. Also, the inherent friendliness to money laundering of many blockchains lowers the chance of penalty due to phishing attacks.
Tracing Malicious Activity
We found a suspicious account that quoted one of our tweets. Below is the content of the quote tweet from the account:
“I’ve had a similar issue Contact their support team directly, send ’em a mail *@gmail.com, they’ll assist you.”
Our tweet was about our discovery of scam sites for Gitcoin and Lido Finance, warning users to be careful about it when connecting wallets. The suspicious Twitter account quoted our tweet and posted the above message.
Exploring the scammer's account
The account appeared to be automated, posting similar tweets continuously. At this point, we decided to cast a bait to figure out if the user was actually malicious.
First, we sent a message to the email address mentioned by the suspicious user, claiming that we had been hacked.
Then, 6 hours later, we received an email from someone claiming to be MetaMask Support.
It asked us to provide the wallet address in order to identify the problem, offering to find a “solution.”
We replied with an account address that would appear legitimate to them. The email reply speed seemed to imply that they were responding manually and possibly even validating the address we sent them; thus, we tried to dodge suspicion by sending a random Ethereum account with a large balance
After providing the wallet address, the email reply was faster than before. They said they were working to recover stolen assets and to perform this task, and we needed to connect our wallet on the restore page within the provided website. They kindly explained how to “find the assets.”
The steps they provided were as follows:
- Go to the settings of your Metamask wallet, navigate to “advanced”, then ensure the “toggle eth_sign requests” option of your wallet is turned on.
- Open the link to our restore page on your Mobile phone browser (i.e android or IOS) (this process cannot be initiated from a laptop browser or Metamask chrome extension) and connect your Metamask wallet as provided to our support.
- Click on “restore wallet” as displayed on the home menu of your Metamask wallet
- Sign and approve the following prompts which appear on your screen to authorize Metamask to run the auto-reboot protocol in your wallet.
The first requirement they demanded was to turn on the “toggle eth_sign
requests” option in MetaMask’s Advanced Settings page, which allows the Dapp to take over the connected wallet.
Test
If this feature is turned on, how will the website react when an eth_sign
request occurs? Let us test this using the Test-dapp site created by MetaMask.
Toggle disabled
First, connect the wallet using the connect wallet button, and try signing with the Eth Sign button.
An alert warning will appear stating that eth_sign
is disabled and must be enabled through Advanced Settings. The MetaMask extension did not respond.
Toggle enabled
When the toggle is enabled, a signature request message is displayed, and another warning message is displayed after clicking the sign button. The warning states that by signing, you are handing over full control of your account to the Test-dapp, which may put your assets at risk. By signing the request above, you are granting Test-dapp access to the assets in your account.
What happens if we ignore it and continue with the signing process?
The website will display the result, and the eth_sign
signature will be authorized.
Now that we have tried it on the Test-dapp, let us try it on the scam site in the email from the attacker. Since we have “toggle eth_sign
requests” enabled, the website will display a warning message.
Let us click the “Restore Wallet” button they asked for.
The permission request dialog appears immediately after trying to connect the wallet, with the same warning message as before. Users who have already been robbed of large amounts of assets may be tempted to ignore this warning, with the hope of the possibility of having the funds returned; nevertheless, the user should always read the warning message carefully and be mindful of potential risks.
Test — Mobile version
Let us try to access the website on mobile as requested in item 2 of the email and interact with MetaMask.
The “toggle eth_sign
requests” feature is also available on the mobile version of MetaMask, so we tested connecting the wallet after enabling this feature.
As expected, we can see MetaMask’s warning message. Users need to pay attention to the warnings in MetaMask to avoid scams. MetaMask sees constant improvement in areas where many users have been victimized, or are likely to be harmed, with the participation of other users, as well as the MetaMask team itself. Please keep this in mind when using the features in MetaMask. It is easy to find discussions on the MetaMask community or Github about new features and improvements to MetaMask. For more information, refer to the websites below:
- MetaMask Github: https://github.com/MetaMask
- MetaMask Community: https://community.MetaMask.io
Si vis pacem, para bellum
The Latin phrase ‘Si vis pacem, para bellum,’ which means ‘If you want peace, prepare for war,’ highlights the importance of being prepared. As demonstrated in the movie John Wick 3, being prepared can be the difference between life and death.
Currently, if you enable the eth_sign
toggle on MetaMask installed as a web extension on your desktop and then interact with a Dapp, you will see a warning about eth_sign
, but until just last month, the mobile version did not display the same alert as the desktop version. One user wrote about his experience on the MetaMask community, saying that this issue nearly put his assets at risk.
To protect users, the discussion on GitHub suggests that the toggle for eth_sign
should be disabled by default, and users should be able to toggle it on and off; on the other hand, if eth_sign
becomes necessary, the UI/UX should be designed so that it can be set in settings.
As you can see, showing warnings and setting a disabled default for the eth_sign
toggle were not among the features that were implemented from day one were added after-the-fact due to user requests and suggestions. When users realized the number of scammers and the risky situations they were in, they voluntarily made suggestions to MetaMask, which accepted and incorporated them into the software.
ChainLight Contributing to the Web3 Ecosystem
ChainLight is also a Smart contract audit firm that actively contributes to the ecosystem by identifying Smart contracts with potential risks and notifying the corresponding projects.
In Korea, it is essential for the interaction between exchanges and external wallets to comply with Travel Rule when sending and receiving funds. ChainLight has also launched a campaign to raise awareness of scams using MetaMask in collaboration with UPbit, the largest exchange in Korea.
MetaMask employee @tayvano_ referenced ChainLight’s Medium article to demand attention from the community and posted a tweet about the escalation of fraudulent user behavior to scam users using the eth_sign
feature is no longer supported by default in MetaMask.
As blockchain is a decentralized space that develops through the voluntary participation of users, ChainLight will continue to take one step ahead for a healthy ecosystem in the future.
Conclusions
We have learned about the methods and stages of how attackers target victims, starting with scam tweets. A suspicious Twitter user quoted our scam alert tweet to generate more victims. When using MetaMask, make sure the eth_sign
toggle is disabled. If you were a victim of a scam, make sure not to access the website that tries to lure you in with their “asset recovery” solutions.
What happens in Web3 is not easily reversible. We hope that users will be aware of the risks mentioned in this article and stay safe in the Web3 ecosystem. We will continue to post updates on malicious actors that threaten user safety through our blog in the future.
Reference
- https://community.MetaMask.io
- https://github.com/MetaMask
- https://community.MetaMask.io/t/add-phishing-alerts-and-option-to-toggle-eth-sign-requests-on-mobile/24587
- https://github.com/MetaMask/MetaMask-extension/pull/17308
- https://github.com/MetaMask/MetaMask-mobile/issues/5676
- https://MetaMask.github.io/test-dapp/
✨ We are ChainLight!
ChainLight explores new and effective blockchain security technologies with rich practical experience and deep technical understanding. Our innovative security audits built upon such research proactively identify and eliminate various security risks and vulnerabilities in the Web3 ecosystem. To ensure continuous security even after the audit, we provide a digital asset risk management solution using on-chain data monitoring and automated vulnerability detection services.
ChainLight serves to guide and protect all users of decentralized services, lighting the way for a safer Web3 ecosystem.
- Want to see more from the ChainLight? 👉 Check out our Twitter account.
🌐 Website: chainlight.io | 📩 TG: @chainlight | 📧 chainlight@theori.io