New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


MetaMask Cryptocurrency Wallets Phished with Google Ads

Over the last week, Users of the MetaMask cryptocurrency wallet service have been losing funds through a malicious Google ad campaign. MetaMask has over one million users and an Ethereum wallet via a browser extension that lets certain applications read from the blockchain. When a user installs the legitimate extension, they can either import an existing wallet or create a new one with the secret seed phrase that allows access to the new wallet. Attackers fooled people using Google to search for the MetaMask site by taking out a fraudulent search ad that causes a link to a fraudulent copy of the MetaMask site to appear near the top of search results. The phishing ad/scam is still active with new domains promoted through Google search ads. Users who landed on the malicious site were prompted to install a malicious version of the browser extension, then it prompts the user to either import an existing wallet or creates a new one. If the user wants to create a new wallet, they are directed to the legitimate MetaMask site. If the user wishes to import their wallet, the page asks for the key phrase which is then sent to the attacker. As soon as the attacker gets the seed phrase, they empty the associated wallet without the user knowing. Blockchain forensics company CipherTrace mentioned three domains used for the scam: maskmeha[.]io, installmetamask[.]com, and meramaks[.]io. Victims that land on these pages have a hard time identifying the fraudulent pages because they appear identical to the legitimate MetaMask[.]io website.

Analyst Notes

Any software applications, including browser extensions, that are downloaded from a website are a potential risk, and this example shows how even searching for the software manufacturer in a popular search engine can lead to a malicious site that looks just like the legitimate one. Usually, malicious website links are pushed through spam email. Using third party links can easily be faked and provide one of many problems for the end-user. If a third-party downloader has to be used, hovering the mouse icon over the link button will display the URL that it directs the user to. Check that URL to verify that it points to the proper site, or go directly to the software creator’s official website to download software.

Source Article: