Understanding the MetaMask KYC Phishing Attack

Scams involving cryptocurrencies have been around for a very long time. Cybercriminals offer free transfer of money, bitcoin giveaways, other people's credentials, and scarce mining equipment to potential victims in the hopes of luring them into their scams so that they can steal cryptocurrency from other people's accounts. A new scam targeting MetaMask crypto wallet owners has surfaced, and we'll take a look at it.

MetaMask is a wallet for all types of tokens based on the Ethereum blockchain (both regular and non-fungible ones, aka NFTs). The wallet can be added as an extension to desktop browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave. Additionally, there are apps available for both iOS and Android. On a decentralised network, purchases can be made; content can be created and monetized; and MetaMask can be used to do all of these things.

Access is protected by a user password and an app-generated private key composed of 64 alphanumeric characters, as well as a seed group of words—a series of 12 (less frequently 24) words.

And while almost all people who have a crypto wallet know that the password and private key should not be shared with anyone, some people, especially those who are new to cryptocurrency, don't think it's important to keep the seed phrase secret.

It is important to keep in mind that the seed phrase is basically a verbal representation of the private key, which will enable you to regain access to the account if you forget it. Anyone who obtains your seed phrase will be able to access your account and access your crypto assets if they know how to do so. This is the reason why scammers are interested in it.

How the MetaMask KYC Scam Happened

The phishing email, which gives the impression that it was sent from the MetaMask support team, pretends to be a Know Your Customer (KYC) validation request. It also has convincing branding and does not contain any typos or other apparent scam giveaways.

Receiving a KYC request is not necessarily out of the ordinary because it is a part of the standard anti-money laundering legal responsibilities that financial companies are required to abide by.

MetaMask does not require users to verify or provide KYC information, but dealing with verification requests can be a real hassle, which may lead recipients to be less cautious.

Phishing attempts typically involve a sense of urgency, and the perpetrators of the scam even go so far as to give the victims a generous amount of time—up to an entire month—to take the necessary steps to authenticate themselves. This is another red flag that the request may not be genuine, given that the scam typically involves urgency.

If the victim clicks the button, they are taken to a spoofed landing page that looks like the real MetaMask website.

The phishing website even provides a warning to its visitors, instructing them to take care and ensure that their passphrase is always properly secured.

The real domain for MetaMask is "metamask.io," but the phishing page uses "metamask.io-integrated-status.com," which might be mistaken for the original by users who aren't paying attention.

If victims enter their passphrase on the malicious website, the information is sent directly to the malicious hackers. If this occurs, the adversaries typically do not wait very long before taking action and stealing the victim's remaining funds and NFTs.

Protecting your MetaMask wallet from phishing attempts

Cryptocurrency investors are constantly being targeted by fraudsters who employ novel and ever more sophisticated methods to steal their money. However, there are tell-tale signs that can be used to spot a scam a mile away. In most cases, adhering to these basic safety precautions is all that is required to protect against unwanted visitors:

• Avoid e-mails and messages that ask for money or threaten to close an account, or on the other hand, offer a quick-money scheme.
• Pay close attention to the address of the sender. It is almost certain to be a scam if the name of the company is misspelled or if the domain is nothing more than a collection of arbitrary characters.
• Be extremely cautious with the information and credentials you use to access your account and your money. Gain an understanding of the operation of the crypto wallet security solution, the information that the customer support may request from you, and the information that you must under no circumstances reveal to anyone else.
• Make use of a trustworthy solution that offers protection against phishing and other forms of online fraud to assist in keeping your money safe from various types of scams.

In conclusion, ensure that multi-factor authentication (MFA) is turned on for every one of your online accounts, even if it is only an optional safety measure.

‍