Hand holding phone with Metamask crypto wallet mobile app showing phishing scam

Phishing Scam Targeting MetaMask Crypto Wallet Holders Nets $650,000; Default Settings Stored Seed Phrases in iCloud

MetaMask, a popular crypto wallet app, is being targeted due to a design flaw on iOS. A phishing scam that involves a call that appears to come from Apple is able to drain MetaMask wallets by way of a default setting that could definitely be called a security flaw; the app writes the security seed phrase needed for remote access to iCloud backups unless this aspect is manually disabled.

Most popular Ethereum crypto wallet has been writing seed phrases to cloud backups

The MetaMask crypto wallet is the one most commonly used by holders of Ethereum cryptocurrencies; publisher ConsenSys estimates that it had over 30 million active users as of March.

The phishing scam begins with a call that is spoofed to appear to be coming from a legitimate number listed by Apple’s online store. A fake Apple customer service agent tells the recipient that their account has been compromised and that they will be sending a one-time code to the phone to verify that the target is the account owner. Of course, this code is part of a credential reset attempt by the attacker (likely using the iForgot feature).

This alone should not allow an attacker to drain a crypto wallet. But MetaMask has a default setting, apparently unbeknownst to many users, that automatically writes the recovery seed phrase for the wallet to the user’s iCloud backups. With access to the target’s Apple account, the hacker can retrieve the seed phrase and drain the crypto wallet within seconds by using a purpose-built script.

Thus far, only one MetaMask user, Domenic Iacovone, has been verified to be hit by the phishing scam, but it was quite the haul. The target was plundered for a total of $650,000 worth of assets: $250,000 in Tether, $160,000 in ether, $100,000 in Ape Coin, and a Mutant Ape Yacht Club NFT valued at $80,000 among other items.

The 12-word seed phrase is essentially a password that allows holders of wallets a way to re-establish access if they lose it. Needless to say, it’s supposed to be protected as any other important password would be, which includes not writing it in plaintext to documents in cloud storage. Yet this is exactly what the MetaMask app was doing; seed phrases will be written to iCloud automatically unless the user goes into the “Manage Storage” settings and turns off the app’s backup capability.

Phishing scam easily defused with a little basic knowledge

Disabling the automatic backup of a crypto wallet’s seed phrase is an important thing to do, of course, but this particular phishing scam can be evaded in an even more simple way: with the knowledge that Apple never calls users to tell them that they believe an account has been breached. Apple has been known to send messages to users that may have been compromised in rare cases, as they did in the case of phones potentially hacked by the Pegasus spyware, but will not “cold call” someone asking for a verification code number. Had the victim known this they could have safely ignored the call.

Nasser Fattah, North America Steering Committee Chair for Shared Assessments, adds: “Often when we backup our iPhones to the cloud, we don’t think of what to exclude in the event our Apple credential is compromised. Backups are often all or nothing. Additionally, there is certain information, like passwords or pins, that should be deemed suspicious when being requested by support staff. When in doubt, or if you’re getting the heebie-jeebies, then it is time to stop engaging with the requester and call the official number of the entity that is asking for one’s sensitive information.”

While this is a relatively easy attack to defuse (as phishing scams go), there are certainly many among MetaMask’s estimated 30 million users that don’t follow tech security news and will not be aware that their seed phrase is sitting in their iCloud account. Security analysts are thus expecting a rash of attacks of this type now that the news is out. MetaMask posted a warning about the default settings to its Twitter account on April 18, but it is not clear if it directly contacted its crypto wallet customers to warn them about the potential phishing scam.

MetaMask is coming off of news of a critical vulnerability in its underlying code that could expose the IP addresses of mobile users upon receipt of a malicious NFT. After a cryptographer uncovered the issue, the founder of MetaMask admitted that the company had known about it for “a long time” and that a fix was not yet in the works. While exposing an IP address might not appear to be a major issue, it is more serious in the crypto world as it could potentially lead someone back to the identity of an anonymous wallet holder.

And the issue emerges amidst broader concerns about Ethereum’s planned switch to a “proof of stake” system, which could open it up to a variety of the sort of security issues that currently plague other decentralized finance (DeFi) platforms. The move is planned for the summer and markets have generally been bullish on it, given promises of reduced energy use and reduce transaction fees as well as increased activity. But there is a substantial movement against it that focuses primarily on these security concerns (which go far beyond phishing scams), as demonstrated by recent “flash loan attacks” and other takeovers of the majority consensus systems that underpin proof-of-stake.

Dave Cundiff, Vice President of Member Delivery for Cyvatar, provides some examples of what this might mean: “As today’s technology becomes increasingly more complex users sometimes mistakenly assume that successful attacks will need to be equally complex. All items currently leveraging blockchain or web3 still rely on the fundamental building blocks of infrastructure. Servers, networking, users, authentication, etc. are all still fundamental pieces within the overall uses of these new technologies. As such sometimes deceptively simple attacks can allow for these types of successes on the part of the attacker. However, unlike a federally or institutionally insured banking entity there is currently limited recourse to recovery of funds. No matter the banking entity you are working with whether it be a cryptocurrency wallet or a traditional brick and mortar bank, NEVER follow text message instructions … Anytime you receive a text message saying you need to reset something it is imperative to go to the standard website from a different device to make the requested change.”