Metamask Scam in the Metaverse

The Guardio security team has discovered a network of sophisticated crypto attacks chaining the most prominent brands and targeting the MetaMask wallet. One single Metaverse scam has already siphoned hundreds of thousands of dollars. This fake Metamask scam is creating a whole new category of attacks on the back of the rise of Web3 and the Metaverse.

Metaverse is the latest buzzword that’s doing the rounds in today’s tech circles. It’s a utopian promise of a decentralized open web, out of the reach of big corporation control (ahem, Meta - and no, the new name is not a coincidence...), all backed by blockchain technologies. Ask prominent Metaverse and NFT aficionados what life could look like in just a few years from now, and you’ll probably get a slew of answers variously describing a complete, fulfilling existence lived entirely online, in a joyously vivid Virtual Reality (VR).

So what does the Metaverse look like right now?

Well, we’re not there yet. Far from it. The vision is still very much just a vision. Currently, multiple platforms are trying to put down roots and “become” the one true Metaverse. And in a market with no consensus, there are just standalone, independent fragments at the moment. Several companies have created building blocks, but there is no fluid connectivity between them. The kids haven’t figured out how to play together nicely yet, so there is no one world, just bits and pieces.

Protect yourself from black friday & other scams, begin with a free scan.

Platforms like Decentraland and The Sandbox are just two examples of the many fighting it out for ownership of the Metaverse. And actually, the proposition is more or less always the same. Join up, start buying goods and property with non-fungible tokens (NFTs) and begin building whatever you want. Yep - virtual real estate investments are already a big thing, and the sums of money exchanged are already eye-watering, with deals reaching values of hundreds of thousands of dollars. It smells like “the next bitcoin,” and consumers want in. The FOMO is real... The Metaverse may not yet be fully formed, but the prices are. And where there’s money, there are those who would happily take it by any means. Yep, there are now Metaverse scams.

How did we get to Metaverse Scams?

So, if we’re honest, Blockchain is not exactly the easiest thing to get your head around. Recent advancements have come a long way in reducing the complexity, thereby making it was more accessible to average, non-tech users. The scene is now way more open to casual users who are looking to dip their toes in the crypto world. Serious users still need some serious technical knowledge, and physical hardware and certain crypto-wallets still dominate the market.

But extensions like MetaMask have made giant leaps by abstracting away lots of the inner workings of blockchain technology. This continues to eliminate the need for a deep understanding and to open up the market. Instead of unfathomable terminology, these extensions present a user-friendly interface and offer simple integrations with relevant sites and platforms. And on the other side of the equation, these simple integrations provide blockchain creators simple access to both provable identities of users and a means to transfer ownership of currency and NFTs in a decentralized way. So far so good. Sounds like the playing field is leveling out nicely, thank you very much. Well, not quite.

As we know (or those of us who are cynical enough know) the more simple and accessible access to accounts and currency becomes, so it becomes easier to fool, manipulate, and exploit. At Guardio, we are constantly monitoring malicious actors right across the breadth and depth of the web. And we’re seeing a sharp increase in both interest and sophistication in hitting Metaverse targets. Every day, hundreds of new sites are tricking their way to the top of Google search results using malvertising techniques. These malicious websites usually have a very short lifespan, but they have one goal, and they still manage to defraud large amounts of users in this small timeframe. Even in the brave new world of the Metaverse, it’s all the same old scams, tricks, and deceptions being used - just with fewer user safeguards and a lot less fraud awareness. In this world, the casual browser is more open to fraud and a Metaverse scam than ever.

So let’s reverse engineer just one example we came across involving a fake MetaMask interface. Usually, crypto wallets have a secret combination of words associated with them that, in turn, help derive the private key used for proving your ownership over the wallet. Now if for some reason, you give these words away to a party you don’t know, or wouldn’t trust, you’re are essentially allowing them to duplicate your wallet and make transactions on your behalf. You just handed over control of your money to persons unknown... Ouch. But, of course, you wouldn’t do that. Would you? Well, you might be surprised.

Protect yourself from black friday & other scams, begin with a free scan.

From the side of the malicious actor, stealing a recovery password used to be almost impossible. Old school Blockchain users know what they’re doing, and everything was securely hidden under lock and key, deadbolts, chains, and 67 padlocks. But now users are encouraged to share their passwords and phrases for smoother integrations, accounts are shared and accessed from platform to platform. Users get used to typing in their security details every time they need to sign in to one of the various Metaverse platforms. And, of course, passwords are forgotten and need to be recovered. Suddenly cracks start to appear all over the place....

In this fake MetaMask scam, we can see that genuine MetaMask users are targeted as they try to sign in (and if it wasn’t so damn horrible, you’d almost applaud the sophistication and handiwork - it’s very nearly flawless). The attacker has made a pixel-perfect copy of a sign-in page, that is designed not to work. In bygone days, crypto holders would never ever give out their security details - and no one would bother to ask. But in the not-yet-fully-formed Metaverse, the attacker just has to ask nicely for keyword phrases, and unknowing users, used to signing up and in every 5 minutes, well, they happily oblige. The attacker has copied and patched chunks of the real UI, and the untrained eye has no way of knowing the difference between a regular pop-up window or an in-page HTML component. The fake MetaMask looks and feels exactly like a MetaMask sign-in request. How would you even know to think twice? So our unwitting user tries to sign in and obviously fails. And then, of course, they go to recover their account and hand over their prized recovery keyword phrases. The attacker now owns their account. Done. It’s that terrifyingly simple...

Our amazing security team at Guardio wrote a full, technical explanation of how they discovered this fake MetaMask scam right here.

Tips & Tricks

So how can you stay safe and still experience the Metaverse as an early adopter? Here are a couple of easy tips to help you be aware of scams when using your hot wallet:

• Never share your recovery phrase with anyone, no matter how convincing they might be.

• A website URL should never show at the top of the opened MetaMask UI. Whenever the real MetaMask notification is shown it is provided by the extension itself and is NOT related to a specific website.

• Make sure the website you are visiting is the real thing. Obvious right? Many up-and-coming platforms in this niche have non-standard URLs that make it easy for scammers to impersonate. As much as possible, avoid navigating to these websites from ads (i.e. above search results). This is THE prime location for malicious ad campaigns.

• Pay attention to sites and pages that ask you to log in, and if it feels right or not. Again - totally obvious. But remember, every time you sign in, you’re handing over security information. And if this is your wallet, make sure you’re protecting it with every instinct you have. Technology may be at a fundamental level “just” code, but often it also just feels right, and sometimes it feels wrong. Pay attention to your gut.

Protect yourself from black friday & other scams, begin with a free scan.