MetaMask Phishing via Google Ads
By: Athul Harilal, Eric Chin, Jack Chong, Ilinca Alexiuc, Nobel Tan
1. Introduction
A threat actor group has been actively engaging in stealing crypto assets from MetaMask users via Google Ads since November 2020¹. These Google Ads impersonating MetaMask were placed ahead of the legitimate site, which tricked users into engaging with them. Through our investigation, we found that the threat actors also targeted victims of Ledger and Coinomi wallets. Cryptocurrency transactions from the threat actor wallet revealed interaction with FixedFloat exchange and another unknown DEX of Chinese origin. We have detailed the findings of the threat actor in this article and publicly shared the found Indicators of Compromise (IOCs) here.
2. Modus Operandi
Since the beginning of their operation in November 2020, we have observed 4 major changes in the code base of the web files and/or infrastructural changes, in an attempt to better the replication of the impersonation site. Table 1 summarizes the main findings of each version.
Version 1
The initial versions (1.0, 1.1) of the threat actor had the same code base in terms of the html and javascript files returned by the phishing domains. They only differed in the hosting provider. While version 1.0 domains were hosted on Choopa LLC², they were moved to CloudFlare Inc³ in version 1.1, maintaining Namecheap⁴ as their domain registrar.
Differences in the Sequence of HTTP responses
In Figure 1, we illustrate the sequence of http responses recorded when a user imports a wallet through the legitimate metamask site (metamask[.]io) and compare it against phishing sites.
In the legitimate site, a user is directed from the main page to a download.html page that contains links for downloading MetaMask across different platforms. In step 2, the user is redirected to the MetaMask extension in Chrome upon clicking the relevant link. We looked into the working of MetaMask Chrome extension because we believe that the threat actors used phishing links to lure victims that predominantly use browsers extensions. Lastly in step 3, the Chrome extension returns home.html page to complete the process of importing a wallet from the victim.
However, upon inspecting the http flow of phishing sites, we do not see any installation of MetaMask. Rather, the threat actors hosted a number of html pages within the phishing domains to cater to responses pertaining to the steps needed for importing the wallet. This was the first spotted difference.
Comparison of Landing Pages
Figures 2.a and 2.b illustrate the http responses returned upon querying the legitimate MetaMask site and phishing site respectively. Both pages look visually alike and upon inspecting we observe that the phishing site made a similar number of http calls to the legitimate site as shown in Fig 3.a and Fig 3.b. Hence the initial versions of the phishing site directly utilized resources from the legitimate site itself for replication.
However, we also observed minute textual differences between the phishing and legitimate site. For example, the buttons “Download” and “Download now” are replaced with “Install” and “Install now” in the phishing site, as shown in Figures 2.a and 2.b.
In the legitimate site, the trigger of the download button fetches the download links for MetaMask across various platforms via download.html as shown in Fig 4.a. However the buttons on the phishing site redirect to home.html as shown in Fig 4.b. This page corresponds to the html resource requested by the installed legitimate MetaMask extension in step 3, as shown in Figure 1. However, the phishing site skips the installation part.
Comparison of home.html pages
Figures 5.a and 5.b illustrate the home.html pages of the installed MetaMask Chrome extension and phishing site respectively. Similar to the landing page, both the pages visually appear similar with slight textual changes. However, the sequence of operations executed with the trigger of the start button differs greatly between the legitimate MetaMask extension and phishing site.
As shown in Fig 6, the legitimate MetaMask extension gets a list of user actions or relevant texts from messages.json file. We have highlighted the action “Get Started” related to the button in Fig 5.a. The trigger of the button is handled by functions within the javascript files highlighted in Fig 6, to render the correct response for the next step. Similar to the “Get Started” button, subsequent sequences of actions performed by the user to complete the importing of the wallet, are also handled by the same javascript functions. However, the threat actors resorted to much simpler techniques to replicate the steps for importing and stealing wallet information.
For instance, the start button within the phishing page’s home.html is simply directed towards a file named change.html as shown in Fig 7 whose response is similar to that rendered by the legitimate MetaMask extension.
Change.html
This page starts the process of tricking users into importing the secret phrase of their wallet, which can be used by the threat actors to replicate the victim wallets in their infrastructure. It also allows users to create a new wallet solely for the purpose of properly replicating the response returned by the legitimate MetaMask extension.
Inspection of the html source code revealed that importing the wallet caused the site to request change1.html, and creating a new wallet caused the site to request change2.html, which redirected the user to the legitimate MetaMask site. Therefore in the initial versions, the threat actors let go of the victims that wanted to create new wallets in MetaMask.
Change1.html
This page is related to an agreement which indicates abiding of GDPR⁵ rules while collecting anonymous data from user interaction with MetaMask. It is relevant because a similar response is returned by the legitimate MetaMask extension to indicate that it abides by the GDPR rules.
The html source code of change1.html indicates that the user is directed to the import.html page, regardless of their consent type, as shown in Fig 11.
Import.html
This form is the last step whereby the victim is prompted to enter their key phrase along with a new password.
Fig 13 shows that the details inputted in the form are sent to check.php, hosted on the same phishing domain. Furthermore, the seed phrase is received by an input html element with an id of passwo1212rd, and triggering the “Show seed phrase” checkbox executes a function laks().
Similarly, we see that the ending snippet of the form contains another checkbox related to adherence of terms and conditions. Fig 14 shows that the checkbox has a class named “first-time-flow__checkbox2” and it triggers the execution of laks2() function. Furthermore, the import button is seen to be disabled by default and having an id of bdbdb.
A deeper inspection of laks2() revealed that it held crucial information regarding the functioning of the form. From Fig 15, we understand that the threat actors kept tab on the user interaction with the terms and condition based on the class otkr. When the box is checked, otkr is added to the checkbox element and vice versa when it is unchecked. Based on this logic, the first block of code is executed when the checkbox is unchecked. It removes otkr and disables the import button referenced through it’s id bdbdb. However, if the checkbox is checked, it adds otkr and checks whether the new entered password and it’s confirmation are the same. If so, the next block of code extracts the seed phrase entered by the user and sends it to function getAmountOfWords2().
As shown in Fig 16, getAmountOfWords2() simply checks if the length of the entered seed phrase is equivalent to 12 and removes the disabled attribute on the import button, thereby allowing victims to send the inputted details. This concludes the process of stealing secret phrases of victims in version 1.
Version 2
In this version, the threat actors used Arq Group Limited DBA Melbourne IT⁶ as their domain registrar and hosted their web files on AWS⁷ servers in Australia. They reduced the size of web files hosted primarily by reducing the number of javascript functions. However, the most interesting fact was the discovery of phishing sites related to Ledger⁸ and Coinomi⁹ wallets. This could also be related to the Ledger data breach¹⁰ in June 2020 that resulted in malicious actors obtaining personal details of 270k customers. The database dumps of the breach were also recently found in RaidForum¹¹, which is a marketplace for obtaining such dumps. Hence in this version, the threat actors increased their attack surface.
Analysis of Landing Pages
HTTP queries on the main domains found in version 2 rendered 3 types of generic responses that were completely unrelated to MetaMask, Ledger or Coinomi. As seen in Fig 17, we found responses related to learning French cooking, Car wash company and an Architectural firm.
Analysis of the html responses revealed the inclusion of a number of Latin sentences within them. However, we found a number of Lorem Ipsum texts within these sentences that were taken from multiple websites. This was probably done by the threat actors in order to not give away any meaningful content. For instance, “Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat.” was found inside a Wikipedia page¹².
We also found a number of links going to a website builder platform called nicepagek¹³ and a website containing a large repository of images called freepik¹⁴. However, we did not find any meaningful links related to impersonation of the wallet providers. From the above information, we deduced that the 3 types of html responses were ready to use website templates offered by nicepage¹⁵.
Identification of Hidden Paths
Since we did not find any meaningful links from the landing pages, our investigation led towards checking for hidden paths that could be hosting impersonation sites.
As shown in Fig 18, we found a number of hidden paths within these domains related to impersonation of MetaMask and Ledger. During our analysis, each hidden path was found to be exclusive to a single domain. These findings hinted at the fact that the threat actors might be using these paths as a redirection from other sites or using it to target victims via other means such as email, rather than the technique used in version 1.
The responses from MetaMask impersonation sites were similar to that of version 1. As shown in Fig 19, the threat actors only included the option to import a wallet upon landing on these hidden pages, unlike version 1 which also included the option to create a new wallet. Similarly, the page to enter the secret phrase and password is also similar to version 1, with the exception of auto checking of the terms and conditions checkbox. This eliminated the need for javascript functions such as laks2() found in version 1.
Brief Summary of Ledger Impersonation sites
While impersonating Ledger, the threat actors implemented a similar technique as observed in MetaMask impersonation domains, for stealing secret phrases from victims.
Fig 21 shows the details of the form, where the victim enters the secret phrase. We observe a listener function CheckParams() that listens to the keys entered by the victim. Similar to MetaMask, this function checks the length of the entered phrase to enable the “Continue” button highlighted in Fig 20, that completes the process of stealing through the form.
However, there are also some differences from the implementation of MetaMask impersonation sites. One major difference is the bulky size (4MB) of the http response of the hidden page, as shown in Fig 22.
Upon inspection, we observed that this is majorly due to inline referencing of images used within the legitimate Ledger site, as shown in Fig 23. We found a number of such images being referenced in the base64 format, which caused its bulky size.
Version 3
In this version, we found only MetaMask phishing sites similar to version 1. They also maintained a similar http flow for stealing the secret phrase, as shown in Fig 1. However the threat actors further reduced the size of http responses, and started using random domain registrars such as PDR Ltd. d/b/a PublicDomainRegistry.com¹⁶ and NetEarth One Inc. dba NetEarth¹⁷. However, since the process of stealing the secret phrase is similar to version 1, we do not go through the process again.
Cryptocurrency Transactions of the Threat Actor
Fig 24 illustrates the extended outgoing transactions made from the threat actor wallet (0xF032752d9198D9c0b34Cd9b622de04f7CF2DE840), taken from Crypto Analysis Transaction Visualization (CATV)¹⁸ tool. Upon inspecting this wallet, we observe that it has been active since 12th October 2020 and it has transacted 22.8 ETH as of writing this article.
The initial outgoing transactions worth approximately 0.76 ETH were sent to FixedFloat exchange¹⁹. However, the majority of the funds (21.9 ETH) were transacted with an unknown wallet (0x24BA1542F8a0a20e8251d096213384Cfb0eE3dbC). This wallet had made around 22k transactions within a span of its lifetime of 4 months.
Upon closer examination, we found a number of references and transfers from major centralized exchanges such as Huobi²⁰ and Binance²¹, as shown in Fig 25 taken from Bloxyi²². The figure also shows a number of calls made to smart contracts such as USDT Tether (0xdac17f958d2ee523a2206206994597c13d831ec7),DAI(0x6b175474e89094c44da98b954eedeac495271d0f) and ChainLink Token (0x514910771af9ca656af840dff83e8264ecf986ca). These relationships look similar to that of a wallet belonging to a decentralized exchange (DEX).
We also found the unknown wallet to use Dappbirds²³, which is a platform hosting Dapps pertaining to 14 blockchains. Fig 26 shows the profile of the unknown wallet interacting with 7 Dapps, that majorly includes financial service (Aave protocol) and Chinese game (TKH). This gives a slight intuition regarding the Chinese origin of this wallet.
Hence based on our intuition the threat actor used this DEX type of wallet to majorly convert ETH to stablecoins such as USDT token.
Attribution
The threat actors have been extremely careful to not reveal any contextual information within their web files and infrastructure. On the contrary, there were attempts to mislead based on the generic Loreum Ipsum Latin texts found in version 2 files. Furthermore, we also could not deduce any information based on historical DNS resolutions of the phishing domains as most of the domains only had 1 dns resolution throughout its lifetime.
However, one of the earliest MetaMask phishing domain (installmetamask[.]com) was recently being redirected to a newly created generic movie website called (hopeisasadthing[.]xyz). From Fig 27, we see that this domain was created around the same time as the initial phishing domains. The name of the domain is also not in line with a movie website and gives away a hint of malicious intent. The WHOIS record shows the domain registrant to be from “Nei Meng Gu Zi Zhi qu” which is a Chinese translation to Inner Mongolia of China. This further strengthens our intuition regarding the connection of the threat actors with China.
How to Identify Signs of Phishing
The seed phrase or mnemonic phrase associated with a wallet should be kept in secrecy as it serves the purpose of importing the user’s wallet into another device, when the former device is damaged. Hence wallet providers store this information in an encrypted manner in the user device itself and do not store it in their infrastructure²⁴. Furthermore, when a user imports the wallet into another device, a set of mathematical functions are used to derive the user’s private keys of the wallet from the seed phrase.
Hence, a strong signal of phishing is requesting the seed phrase and its transfer to another infrastructure away from the user’s device. Legitimate wallet providers will only ask the seed phrase at the time of initial setup. The updates following the initial setup will not request for the seed phrase as most wallet providers locally store this information. However, recent fake Ledger softwares asked existing users to re-enter the seed phrase, which is a strong sign of malice. Furthermore, it is a good practice to use different wallets across different wallet providers as it secures your existing wallets. For instance, in the earlier version of MetaMask phishing sites, the threat actors redirected users to the legitimate MetaMask site that chose to create a new wallet.
[1] “MetaMask phishing steals cryptocurrency wallets via Google ads.” 5 Dec. 2020, https://www.bleepingcomputer.com/news/security/metamask-phishing-steals-cryptocurrency-wallets-via-google-ads/. Accessed 28 Dec. 2020.
[2] ”Choopa, LLC.” https://www.choopa.com/. Accessed 29 Dec. 2020.
[3] “Cloudflare.” https://www.cloudflare.com/. Accessed 29 Dec. 2020.
[4] “Namecheap.” https://www.namecheap.com/. Accessed 29 Dec. 2020.
[5] “General Data Protection Regulation — Wikipedia.” https://en.wikipedia.org/wiki/General_Data_Protection_Regulation. Accessed 29 Dec. 2020.
[6] “About Us | Domain Industry Pioneer | Melbourne IT.” https://www.melbourneit.com.au/about-melbourne-it/. Accessed 30 Dec. 2020.
[7] “Amazon AWS — Amazon.com.” https://aws.amazon.com/. Accessed 30 Dec. 2020.
[8] “Ledger.” https://www.ledger.com/. Accessed 30 Dec. 2020.
[9] “Coinomi: The blockchain wallet trusted by millions..” https://www.coinomi.com/en/. Accessed 30 Dec. 2020.
[10] “Ledger data leak: A ‘simple mistake’ exposed 270K crypto ….” 25 Dec. 2020, https://cointelegraph.com/news/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers. Accessed 30 Dec. 2020.
[11] “RaidForums.” https://raidforums.com/index.php. Accessed 30 Dec. 2020.
[12] “Lorem ipsum — Wikipedia.” https://en.wikipedia.org/wiki/Lorem_ipsum. Accessed 30 Dec. 2020.
[13] “Nicepage.” https://nicepage.com/. Accessed 30 Dec. 2020.
[14] “Freepik.” https://www.freepik.com/. Accessed 30 Dec. 2020.
[15] “Construction company Web Design — Nicepage.” https://nicepage.com/d/125559/construction-company-web-design. Accessed 30 Dec. 2020.
[16] “Public Domain Registry.” https://publicdomainregistry.com/. Accessed 4 Jan. 2021.
[17] “NetEarth One Inc. d/b/a NetEarth | Registrar Breakdown.” https://ntldstats.com/registrar/1005-NetEarth-One-Inc-dba-NetEarth. Accessed 4 Jan. 2021.
[18] “CATV — Uppsala Security.” https://www.uppsalasecurity.com/catv. Accessed 4 Jan. 2021.
[19] “Instant cryptocurrency exchange — FixedFloat.” https://fixedfloat.com/en/. Accessed 4 Jan. 2021.
[20] “Huobi.” https://www.huobi.com/. Accessed 4 Jan. 2021.
[21] “Binance: Bitcoin Exchange | Cryptocurrency Exchange.” https://www.binance.com/en. Accessed 4 Jan. 2021.
[22] “Bloxy.info.” https://bloxy.info/. Accessed 4 Jan. 2021.
[23] “DappBirds.” https://dappbirds.com/. Accessed 5 Jan. 2021.
[24] “Everything you need to know about your Secret Recovery ….” https://support.exodus.io/article/925-everything-you-need-to-know-about-the-secret-recovery-phrase. Accessed 8 Jan. 2021.
