Phishing targeting metamask users

Phishing targeting MetaMask users

Security researchers at Shreshta , using our threat intelligence platform SDINET, have identified a phishing website targeting MetaMask users. A phishing campaign targeting MetaMask users has been doing the rounds on the internet.

About MetaMask

MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralised applications.1

Phishing website metamask-securityupdate[.]com/mm impersonating MetaMask
Phishing website metamask-securityupdate[.]com/mm impersonating MetaMask
Image- screenshot of phishing website
Phishing website page metamask-securityupdate[.]com/mm with a random MetaMask secret phrase
Phishing page with a random MetaMask secret phrase
Image – screenshot of randomly entered MetaMask secret phrase

The phishing website prompts the user to enter the user’s MetaMask secret phrase to connect the user’s account.

Phishing page metamask-securityupdate[.]com/mm accepts the fake phrase and shows a message
Phishing page metamask-securityupdate[.]com/mm accepts the fake phrase and shows a message
Image – screenshot of MetaMask wallet getting connected
Threat Indicators
  • The domain name metamask-securityupdate[.]com was registered by Internet Domain Service BS Corp
  • Domain name registration date – 04-02-2023
  • The domain name resolves to the IP address 5.199.173.215
  • The IP address 5.199.173.215 belongs to AS16125(UAB Cherry Servers)
  • AS16125(UAB Cherry Servers) is based in Lithuania (Europe)
  • The phishing website accepts any phrase that has been entered
  • The phishing website fails to display an error message when a random phrase is submitted
  • The phishing page automatically redirects the user to the official website of the MetaMask 1
The actual phrase recovery page of MetaMask
Actual recovery page of MetaMask
Image – screenshot of reset password page of Actual MetaMask
The actual reset password page of MetaMask
Actual reset password page of MetaMask
Image – screenshot of password reset using the secret phrase
Tweet – MetaMask notifies its users and advises them not to click on any links.

Never share your Secret Recovery Phrase (SRP) with anyone. Sharing your SRP with someone would be like handing over the PIN code to your bank card or the keys to your house. It would allow that person to access and transfer all of your funds. The MetaMask team will never ask you for it. If anyone or any website asks you to share it, they’re trying to scam you.1

Website | + posts