How To
Lose all your money in the Metaverse (before even getting started)
Avihay Kain
Efrat Tabibi
March 1, 2022
•
7
min read
We’ve discovered an active network of sophisticated crypto attacks chaining the most prominent brands and targeting the MetaMask wallet. These malicious actors have already siphoned hundreds of thousands of dollars and are setting the tone as a new category of attacks with the rise of Web3 and the Metaverse.
“Metaverse” is the latest buzzword making the rounds in today’s tech circles. A promise of a decentralized open web we all can experience in new, immersive ways, outside the controlling reach of big corporations (ahem ahem, not you, Meta), and backed by blockchain technologies.
Today, this vision of the Metaverse is still very much just a vision. The current state of play is that multiple platforms are trying to put down roots and “become” the one true Metaverse. Platforms like Decentraland and The Sandbox are two examples of the few fighting it out for ownership. Another factor is the sheer size of the NFT economy right now, a market with a sales volume of over $25B in 2021 and with a record of $5B in January 2022 alone. The proposition is always similar — purchase virtual real estate and goods, build whatever you want, and explore the virtual world as your avatar.
Several advancements in Blockchain technology have made it much more accessible to the average user. In the past, diving into the blockchain world meant overcoming a multitude of technological hurdles and required very specific know-how.
Extensions like MetaMask have made vast strides in eliminating the need for a real understanding of the underlying principles, simply by abstracting away a lot of the inner workings. If you haven’t heard of MetaMask, it’s by far the most popular “hot wallet” browser extension with well over 20m users. It excels in providing a user-friendly interface and simple integration with participating websites. Easy integrations allow blockchain creators simple access to both provable identities of users and a means to transfer ownership of currency and NFTs in a decentralized way.
So far so good, right? Well here’s where things get tricky. The more accessible and simple things become, the easier they are to manipulate and exploit. Guardio is constantly monitoring large numbers of malicious actors across the web, and we are witnessing an increased interest and sophistication around Metaverse-related targets. Every day, hundreds of new sites are tricking their way to the top of Google search results using malvertising techniques. These malicious websites usually have a shorter lifespan than a butterfly and aim purely to defraud large amounts of users in this short timeframe. As it turns out, many of the old tricks used to scam casual internet users apply here as well, and with even fewer safeguards from the browser’s end. Previous publications exploring the landscape of crypto-related phishing attacks have covered similar techniques in the past, but the category is constantly evolving and seen actively abused in light of a steady growth seen in the “crypto ecosystem”.
Let’s start at the end. Every crypto wallet usually has a secret combination of words tied to it that in turn helps derive the private key used for proving your ownership over the wallet. By giving away these words to an untrusted party, you are essentially allowing them to duplicate your wallet and make transactions on your behalf. Scary.
As the Metaverse crowd is usually tech-savvier than the average phishing and scam targets, we see malicious actors go out of their way to make pixel-perfect copies of the real platforms. They do this with relative ease by copying and patching chunks of the original websites, but the real skill lies in the way they exploit the look-and-feel of original interfaces. And one of the examples we found is a scam targeting the MetaMask interface.
By abusing the fact the real MetaMask is hard to tell apart from just a regular pop-up window or in-page HTML component, malicious actors were able to forge the MetaMask UI perfectly and trick people into giving away their recovery passphrases simply by asking nicely. What might seem unheard-of among crypto hodlers is actually a perfectly reasonable request to make of the average joe.
As part of our ongoing research into malicious campaigns, the Guardio research team became aware of novel phishing campaigns targeting would-be Metaverse users.
Like many research candidates we come across, we quickly realized there had to be a large operation at play and immediately set our sights on understanding its full scope.
The vast majority of the websites seen participating in the sting are “flying under the radar” and remain undetected by browser protection tools, built-in or otherwise. In addition, they are closely related to malvertising campaigns targeting Google Adwords in order to scam their way to the top of search results for related keywords, hinting at the vast resources available to the attackers.
The campaign in question utilizes a variety of domain typo-squatting techniques. By compiling a list of known, verified Crypto sites we were able to match large amounts of similar-looking domain names that are impersonating the original sites by measuring edit distances and other text similarity techniques, such as Levenshtein Distance and letter histograms.
Using our data-driven capabilities in analyzing internet traffic we were able to further correlate and expand the list, based on shared IP addresses, domain registration metadata, and browsing behavior, such as originating domains.
Since phishing operations like these rely on their ability to deploy and iterate at speed across large numbers of domains, our analysis of previously seen domains was a good start, but not quite sufficient to completely flush out the campaign going forward.
These phishing campaigns can be broadly divided into two main MetaMask impersonation methods:
With these insights in mind, we were able to leverage Guardio’s research engine to deploy a wide net amongst our userbase, looking for a behavior matching the attackers’ tactics. As a browser extension, Guardio is able to inspect and intervene in multiple phases of a website’s lifecycle. Techniques used to further analyze this campaign in the wild included:
Leveraging all of our capabilities we were able to roll out dynamic blocking rules that both protect our users and inform them of these kinds of phishing campaigns in real-time. Future campaigns using similar techniques included.
So how can you stay safe and still experience the Metaverse as an early adopter? Here are a couple of tips to help you stay on top of scams when using your hot wallet:
Guardio is a cyber-security startup bringing cutting-edge browsing protection to over 1M users worldwide. Our industry-leading research into consumer-facing threats is at the forefront of technology, stay tuned for more interesting publications. Also, we’re hiring.
