The credential-phishing attack leverages social engineering and brand impersonation techniques to lead users to a spoofed MetaMask verification page.

3 Min Read
Photo of a stack of gold crypto coins
Source: Klaus Ohlenschlaeger via Alamy Stock Photo

Researchers have uncovered an email-based credential-phishing attack targeting users of MetaMask, a cryptocurrency wallet used to interact with the Ethereum blockchain.

The campaign is directed at Microsoft 365 (formerly Microsoft Office 365) users and has targeted multiple organizations across the financial industry. It starts with a socially engineered email that looks like a MetaMask verification email, according to the Armorblox research team, containing a link.

Upon clicking the link, users are taken to a spoofed MetaMask verification page, where they are asked to verify their wallet, claiming that non-compliance would result in limited access to their wallets.

The fake landing page uses MetaMask logos and branding to closely resemble the real log-in page, and it deploys a language of urgency to encourage compliance with the Know Your Customer (KYC) verification request.

"In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence," the Armorblox post notes.

The research team also pointed out that the attack leverages the curiosity effect, a cognitive bias that can be used to exploit the user's inherent urge to resolve doubt.

"Each further engagement through the attack flow further aimed to increase this trust through legitimate logo inclusions, branding, and key attributes that are only affiliated with the spoofed brand," the post continues.

Attack Skates Past Microsoft Security

Even though the email came from an invalid domain, the attackers were still able to slip through Microsoft's security controls, using a "gamut of techniques" to bypass secure email gateway (SEG) filters.

Armorblox CSO Brian Johnson notes while the company's research team does not have access to Microsoft threat detection details, they have seen a large amount of modern attacks spawn zero-day malicious links that are ephemeral in nature.

"With the advent of cloud services, it is easy to spin up and spin down malicious links in minutes," he explains. "These attacks can only be detected when you combine natural language understanding with artificial intelligence to go beyond static checks on known malicious links."

To protect against these types of attacks, Johnson says the basic steps include ensuring multifactor authentication (MFA) across all the organization's accounts — specifically, the ones that provide access to financial accounts.

The Armorblox post also recommends keeping an eye out for social-engineering cues, for example any logical inconsistencies within the email, and to augment native email security with additional controls.

Cryptocurrency Attacks Evolving, Targeting Startups

Johnson adds that crypto-wallet phishing has become more targeted and mainstream.

"As the use of cryptocurrency gains traction in both personal and business environments, it opens up another vector for malicious actors," Johnson warns.

Hackers' approaches to compromising cryptocurrency and digital asset exchanges continue to evolve, as a series of attacks against small and midsize businesses has led to major cryptocurrency losses for the victims.

Among these malicious actors is BlueNoroff, an advanced persistent threat (APT) group that's part of the larger Lazarus Group associated with North Korea, which carried out the SnatchCrypto campaign in January.

Meanwhile, cryptocurrency mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is set to grow, as ransomware and other cybercriminal enterprises increasingly lean into cryptocurrency, a November 2021 report from Intel 471 warned.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights