Web2 social engineering attacks – like phishing – are increasingly affecting users of Web3 services. 

We recently discovered an active phishing campaign targeting customers of crypto wallet service provider MetaMask. In this article, we’ll break down the various phishing techniques in the scam email we received on July 25, 2022, purporting to be from MetaMask.

Here’s the email we received:  

If someone opens this email and looks at it rather quickly and superficially, it can easily pass as a real email from MetaMask. It features a subject line that references an open support ticket, it features the well-known MetaMask fox logo, and directs us to a clickable button with an innocuous, time-sensitive prompt: “Verify your wallet.” 

Upon closer inspection, however, we noticed a LOT of red flags:

The Sender’s Email Address 

The sender’s name and email address features an egregious spelling error: Metamaks instead of MetaMask

The address is also not an official, real MetaMask domain. It’s a fake domain (metamaks.auction) and it’s the first real clue that we’re dealing with a malicious phishing campaign. 

Finally, if we open the other properties of the email, we can see that the server used to deliver the message (unicarpentry.onmicrosoft.com) is not related to the real service. 

Lack of Personalization in the Email

If this was indeed a real email from a financial institution or a well-known wallet service like MetaMask, the email will contain a personalized message, with the real name of the recipient, some other ID information, and more clear instructions on what needs to be done.

In this email, there is no personalization. We are not referred to by our name and there is no other kind of personalized account information in the email.  

The Redirected URL

As a common rule, you should never click on any button or link that you received by email, SMS, WhatsApp, etc. Always verify the URL by moving your pointer over the button or link – before clicking on it! – to verify the URL address. The URL address will appear on the bottom left part of the browser, usually, when you hover over it. 

As we can see in this case, the domain we would enter if we were to have clicked on the “Verify your wallet” button has nothing in common with MetaMask. The domain reads: dockwo.com (and not MetaMask.com). 

The Fake Site

Assuming you made the unfortunate mistake of missing all the red flags mentioned above and that you clicked on the “Verify your wallet” button, you would be directed to the following malicious website: 

The domain is actually authorize-web.org, the usage of the known brand MetaMask is only under a subdomain of the registered TLD (Top Level Domain). As users, we always need to read the domain from right to left and check the “.” that splits the parts of the domain from the country or service indicator (.com , .es, .io, .com.br, etc.) and the brand or name itself.  

Even though this particular site has an SSL certificate (which tricks the user into thinking that it’s a secure place to transact), the only secure thing that will occur is that the user will send his/her passphrase for their wallet through a secure socket, but to a fake, illegitimate site.

The scammer even tries to convince you that it’s watching out for your safety with phrases like: “Make sure no one is watching you right now, never share your passphrase with other people.”

Once the victim enters the required passphrase, they are actually redirected to the real MetaMask website, which deceives the victim into thinking that everything is in order, but the truth is that the information of their crypto wallet was already exposed and now the scammers have all the information they need to access the victim’s digital assets. 

Final Considerations

The best defense against phishing attacks like these is to stay vigilant when receiving emails and think twice before doing anything that seems a bit unusual or potentially suspicious. 

If an email contains a link to be clicked, visit the site directly instead and find the target page from there. If an attachment is unsolicited and seems suspicious, call the sender, and confirm before downloading or opening it.  

You can also activate 2FA or MFA in every account that you manage and use multilayer security solutions (and keep them updated!).

No one can detect every phishing email, so it is important for companies to have processes in place for managing potential phishing attacks targeting their employees.  An email security system can help to detect and block a potential phishing attack, and the use of multi-factor authentication can mitigate the impact of compromised credentials.

In the event of a successful phishing attack targeting your employee, it is important to begin incident response as quickly as possible to minimize the damage to the company.  Having a professional incident response team on-call can mean the difference between a devastating ransomware attack or data breach and a non-event. 

Contact the Halborn cybersecurity team at halborn@protonmail.com for more info on how we can help your organization prevent or mitigate phishing attacks.

Warning: Active MetaMask Phishing Campaign
Luis Lubeck
07.28.2022