You can’t hide behind a mask: how MetaMask gets hacked and ways to prevent it

Cybersecurity company Halborn warned about a new phishing campaign targeting users of one of the most popular cryptocurrency wallets, MetaMask. The attackers sent out emails and tricked users into giving their passphrases.

The fake emails started being sent out at the end of July. The only way to tell the difference was to look closely and be very suspicious (and we all click on or skip without reading the content repeatedly). The phishing emails had a branded header and the MetaMask logo. The text encouraged users to follow Know Your Customer (KYC) rules and verify their wallets.

Only spelling mistakes, a fake sender’s email address, and a fake domain.

As soon as the victim enters the required passphrase, she is redirected to the real MetaMask site. So the user will think everything is fine for a long time. Meanwhile, the fraudsters already have information about their cryptocurrency wallet and get full access to the victim’s digital assets.

Don’t go to fake sites

The only official Metamask website is https://metamask.io. Only from there can you download and install the cryptocurrency wallet application. Often hackers create fake copies of the Metamask resource and use Google Ads to make their links appear at the top of Google search results. But if you install such a cryptocurrency wallet, as soon as you enter the necessary data, it will immediately fall into the hands of fraudsters. Therefore, always use only the official version of Metamask!

Don’t flash your seed phrase

The most common way people get hacked is by revealing the wallet’s seed phrase. As you know, when you create a Metamask wallet, it shows you an initial 12-word phrase that allows you to recover your wallet in an emergency. These 12-word initial phrases are actually a readable representation of the private key that protects that wallet. To secure your wallet, you must be sure you will never show it to anyone.

Enter (anywhere) more carefully

Another common hacking method is to join the Discord or Telegram channel of some new project. That’s just where a lot of scammers are waiting for you.

If you begin to ask questions or clarify something, such people can send you messages in your message or even call you, providing “technical support.” And they will offer you to go to some third-party resources or provide them with their data. And outwardly, their accounts will seem quite honest. Such cheaters often steal and use the names of the real founders of the project. Remember that the support representative or the project’s founder will never contact you. So immediately delete such messages or block users.

Sophisticated types of phishing can even happen through multiple communication channels at once: email, Telegram, and Discord.

Malware and keyloggers

Ensure your computer is protected from viruses, malware, and keyloggers with up-to-date anti-virus software and updates. Some major crypto investors even have separate crypto-only computers. This way, they eliminate the risk of catching a virus on any site during routine chores.

You could inadvertently install a keylogger on your computer when watching a movie or downloading something. This program records your keystrokes (and thus gives the hacker a password). This does not apply to those who still use the “12345” or “qwerty” type (you asked for it yourself).

Tricky transactions

Some fraudulent sites may ask you to sign one or more transactions. Real distributed exchanges (DEX) invite you to do this too. But each of these requests asks you to allow the site to spend an unlimited amount of coins or tokens from your wallet. This is what fake sites take advantage of. You may be left with an empty cryptocurrency wallet by giving permission once again.

Fake airdrops in Discord or Telegram (specially dedicated to freebies lovers)

When you find a new project which seems interesting and worth investing in, you often have to join the project’s Discord or Telegram channels to get more information. And after that, your personal account begins to be flooded with various messages. Among them will be advertising “airdrop,” “giveaway tokens,” or other sweet freebies. And in almost 100% of cases, it’s a scam!

Dust in your eyes

Another common scam method is called a “dust attack,” when a scammer sends you some amount of tokens nobody knows about. These, in turn, are linked to a malicious smart contract code that empties your wallet when you try to sell these obscure ones or get rid of them in any other way. Apparently, this is why MetaMask doesn’t show tokens that the user himself didn’t add. You will only see them if you enter your wallet address into the appropriate blockchain explorer (etherscan, bscscan, snowtrace, etc.). If you find unknown or suspicious tokens in your wallet, it is better to ignore them altogether.

A hardware wallet will help avoid most of the problems. For example, Trezor Model T or edger Nano X. And don’t forget the most essential and most straightforward thing: use all available encryption methods, use strong passwords and phrases, and never give your credentials or seed phrase to anyone.