“[The phishing request] comes from an account that looks ‘normal’ (but few followers), helpfully suggests filling out a support form on a major site like Google sheets (hard to block), [and] asks for your secret recovery phrase,” MetaMask tweeted today.
PHISHING ALERT!: a new type of phishing bot is becoming active.
Comes from an account that looks “normal” (but few followers)
Helpfully suggests filling out a support form on a major site like Google sheets (hard to block).
Asks for your secret recovery phrase. pic.twitter.com/EeHumnmzbE
— MetaMask (@MetaMask) May 3, 2021
MetaMask is a widely-used browser extension for Ethereum users to interact with Ethereum-based decentralized applications (dapps). The extension functions as a wallet where they can store the keys to their tokens, and secure it with a 12-word seed (mnemonic) phrase after registration. Anyone who has access to the 12 words can drain the MetaMask wallet of funds.
The damage done by this phishing attack isn’t yet known, but it appears from some of the replies to MetaMask’s PSA on Twitter that some users unwittingly shared their seed phrases via the attackers. “So there is no way to get back our token right?,” one user wrote. “Someone moved my .1, .5 eth to same wallet address,” wrote another.
Public blockchains track transfers of funds, but the owners remain anonymous. As a result, funds are often irrecoverable. But there’s always a chance: last summer, white hacker Harry Denley broke into a phishing scam database and returned $16,000 of cryptocurrency to its rightful owner.
In another phishing attack last December, blockchain intelligence firm CipherTrace identified a malicious website pretending to be MetaMask, which users wouldn’t be able to tell apart unless they paid attention to the site’s URL address.
But seed phrase-stealing bots are everywhere on the Internet, and they are extremely quick.
Last May, one Reddit user reportedly lost $1,200 in Ethereum after mistakenly uploading their seed phrase onto GitHub, an open-source code-hosting platform. In less than two minutes, the attacker used the stolen seed phrase to empty the wallet.
“I just want you all to be aware to NEVER have a digital copy of your mnemonic or private key,” the user, “tycooperaow”, wrote. MetaMask often advises users to keep their seed phrases offline, like on a piece of paper, and stash it somewhere safe.
The phishing bot attack comes at a time when MetaMask use significantly increased in a short span of time. The number of MetaMask users has grown by 500% over the last six months, according to its creator, blockchain software firm ConsenSys (which funds an editorially independent Decrypt).
Guide & Tools