Phishing targeting MetaMask users

Security researchers at Shreshta , using our threat intelligence platform SDINET, have identified a phishing website targeting MetaMask users. A phishing campaign targeting MetaMask users has been doing the rounds on the internet.

About MetaMask

MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralised applications.¹

Phishing website metamask-securityupdate[.]com/mm impersonating MetaMask

Image- screenshot of phishing website

Phishing website page metamask-securityupdate[.]com/mm with a random MetaMask secret phrase

Image – screenshot of randomly entered MetaMask secret phrase

The phishing website prompts the user to enter the user’s MetaMask secret phrase to connect the user’s account.

Phishing page metamask-securityupdate[.]com/mm accepts the fake phrase and shows a message

Image – screenshot of MetaMask wallet getting connected

Threat Indicators

The domain name metamask-securityupdate[.]com was registered by Internet Domain Service BS Corp
Domain name registration date – 04-02-2023
The domain name resolves to the IP address 5.199.173.215
The IP address 5.199.173.215 belongs to AS16125(UAB Cherry Servers)
AS16125(UAB Cherry Servers) is based in Lithuania (Europe)
The phishing website accepts any phrase that has been entered
The phishing website fails to display an error message when a random phrase is submitted
The phishing page automatically redirects the user to the official website of the MetaMask ¹

The actual phrase recovery page of MetaMask

Image – screenshot of reset password page of Actual MetaMask

The actual reset password page of MetaMask

Image – screenshot of password reset using the secret phrase

⚠️MetaMask does not collect KYC info and will never email you about your account!
Do not enter your Secret Recovery Phrase on a website EVER.
If you got an email today from MetaMask or Namecheap or anyone else like this, ignore it & do not click its links!https://t.co/EP0HGZFOfo pic.twitter.com/4CDtne24OK
— MetaMask 🦊💙 (@MetaMask) February 13, 2023

Tweet – MetaMask notifies its users and advises them not to click on any links.

Never share your Secret Recovery Phrase (SRP) with anyone. Sharing your SRP with someone would be like handing over the PIN code to your bank card or the keys to your house. It would allow that person to access and transfer all of your funds. The MetaMask team will never ask you for it. If anyone or any website asks you to share it, they’re trying to scam you.¹

Pranay Patil

Website | + posts