MetaMask Crypto-Wallet Theft Skates Past Microsoft 365 Security

Researchers have uncovered an email-based credentials phishing attack targeting users of MetaMask, a cryptocurrency wallet used to interact with the Ethereum blockchain.

The campaign is aimed at Microsoft 365 (formerly Microsoft Office 365) users and has targeted several organizations across the financial industry. It starts with a socially developed email that looks like a MetaMask confirmation email, according to the Armorblox research team, which includes a link.

When users click on the link, users are taken to a fake MetaMask verification page, where they are asked to verify their wallet, claiming that non-compliance would result in restricted access to their wallets.

The fake landing page uses MetaMask logos and branding to look like the real log-in page, and it uses urgent language to encourage compliance with Know Your Customer Verification Request (KYC).

“To get the victim to comply with the request and wipe out sensitive data, the attackers included language in both the body of the email and the fake landing page, denoting a sense of urgency, making it known that time was of the essence.” Armorblox insert notes.

The research team also pointed out that the attack exploits the effect of curiosity, a cognitive bias that can be used to exploit the user’s inherent urge to resolve doubts.

“Each additional engagement through the attack stream was further aimed at increasing this trust through legitimate logo inclusions, branding and key features associated only with the counterfeit brand,” the post continues.

Attack skates past Microsoft Security

Even though the email came from an invalid domain, the attackers were still able to get through Microsoft security checks by using a “scale of techniques” to bypass SEG (Secure Email Gateway) filters.

Armorblox CSO Brian Johnson notes that while the company’s research team does not have access to Microsoft’s threat detection details, they have seen a large amount of modern attacks spawn zero-day malicious links that are volatile in nature.

“With the advent of cloud services, it’s easy to spin up and spin down malicious links in minutes,” he explains. “These attacks can only be detected when you combine natural language comprehension with artificial intelligence to go beyond static controls of known malicious links.”

To protect against these types of attacks, Johnson says the basic steps include securing multifactor authentication (MFA) across all of the organization’s accounts – specifically those that provide access to financial accounts.

The Armorblox post also recommends that you keep an eye out for signals about social engineering, such as any logical inconsistencies in the email, and to increase the original email security with additional controls.

Cryptocurrency attacks are evolving, targeting startups

Johnson adds that phishing with crypto-wallets has become more targeted and mainstream.

“As the use of cryptocurrency gains ground in both personal and business environments, it opens up another vector for malicious actors,” warns Johnson.

Hackers’ approaches to compromising cryptocurrency and the exchange of digital assets continue to evolve, as a series of attacks on small and medium-sized enterprises have led to large losses of cryptocurrency for the victims.

Among these malicious actors is BlueNoroff, an advanced persistent threat group (APT), which is part of the larger Lazarus group affiliated with North Korea, which conducted the SnatchCrypto campaign in January.

Meanwhile, cryptocurrency mixing – a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions – will grow as ransomware and other cybercriminals increasingly rely on cryptocurrency, a November 2021 report warned from Intel 471.


Leave a Reply

Your email address will not be published.