Over the last week, Users of the MetaMask cryptocurrency wallet service have been losing funds through a malicious Google ad campaign. MetaMask has over one million users and an Ethereum wallet via a browser extension that lets certain applications read from the blockchain. When a user installs the legitimate extension, they can either import an existing wallet or create a new one with the secret seed phrase that allows access to the new wallet. Attackers fooled people using Google to search for the MetaMask site by taking out a fraudulent search ad that causes a link to a fraudulent copy of the MetaMask site to appear near the top of search results. The phishing ad/scam is still active with new domains promoted through Google search ads. Users who landed on the malicious site were prompted to install a malicious version of the browser extension, then it prompts the user to either import an existing wallet or creates a new one. If the user wants to create a new wallet, they are directed to the legitimate MetaMask site. If the user wishes to import their wallet, the page asks for the key phrase which is then sent to the attacker. As soon as the attacker gets the seed phrase, they empty the associated wallet without the user knowing. Blockchain forensics company CipherTrace mentioned three domains used for the scam: maskmeha[.]io, installmetamask[.]com, and meramaks[.]io. Victims that land on these pages have a hard time identifying the fraudulent pages because they appear identical to the legitimate MetaMask[.]io website.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased