396 Interactions, 18 today
The most recent MetaMask phishing scam requests users’ seed phrase via a Google Docs form acting as an official support portal.
MetaMask, a cryptocurrency wallet provider, has alerted its users of a recent phishing bot that aims to steal their seed phrases.
MetaMask warned users in a tweet on Monday, May 3, that the bot attempts to steer users to a malicious website.
purported “instant support” portal where they are prompted to enter information into a Google Docs form.
🚨PHISHING ALERT!: a new type of phishing bot is becoming active. 🎣
👨🏻Comes from an account that looks “normal” (but few followers)
📑Helpfully suggests filling out a support form on a major site like Google sheets (hard to block).
🪝Asks for your secret recovery phrase. pic.twitter.com/EeHumnmzbE
— MetaMask (@MetaMask) May 3, 2021
The form requests the hidden recovery expression, which can be used to respawn users’ cryptocurrency wallets. To stop getting scammed, MetaMask claimed that it does not have a Google Docs-based support system and advised users to get help via the “Get Help” option inside the MetaMask app itself.
MetaMask also urges people to report scams that impersonate the wallet and its programmes, pointing out that consumers can do so via the app.
Despite MetaMask warning its users of the phishing bot, some of its users appear to have already been scammed, with one Twitter user replying: “so there is no way to get back our token right ?”
Because of its success, MetaMask is a common target for hackers and scammers. ConsenSys, the wallet’s creator, announced on April 27 that it had reached a new milestone of five million active monthly users.
Scammers use phishing attacks as a social engineering tactic to trick consumers into doing an activity that exposes sensitive information or account data.
In December 2020, MetaMask detailed a “rotten seed phrase attack”, in which a malicious website mimics the website of the wallet the user is trying to install. The fake website generates a seed phrase that enables the scammers to control the wallet once it has been installed.
Not only new users are vulnerable to phishing scams, with a hacker duping Nexus Mutual founder Hugh Karp into sending approximately 370,000 Nexus Mutual tokens (NXM) worth $8 million to a wallet under their influence at the end of 2020.
Ledger users have also been bombarded by phishing attempts, with two big hacks of corporate servers exposing sensitive information such as email addresses, phone numbers, and even physical addresses.