MetaMask Issues Warning About Phishing Attacks Via iCloud After a User Lost USD 650K
Popular software crypto wallet MetaMask has issued a warning about possible phishing attacks through Apple’s cloud service iCloud. The warning comes after scammers managed to steal USD 650,000 worth of crypto using this attack vector.
The company detailed that MetaMask vaults, the encrypted passwords also known as seed phrases, are uploaded to iCloud if the backup option is enabled. This would enable scammers to gain access to the seed phrase as soon as they compromise a user’s iCloud account.
“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault,” MetaMask said. “If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds.”
MetaMask also provided users with a guide on how to disable iCloud backups for MetaMask.
The warning comes after scammers used this attack vector to drain funds from a user’s MetaMask wallet. Called Domenic Iacovone on Twitter, the user says he received a call from “Apple.”
The user got multiple text messages asking him to reset his Apple ID password on April 15, according to Serpent, founder of Sentinel, a discord and crypto threat mitigation system.
The messages came from a spoofed caller ID trying to impersonate “Apple Inc.” They said there was suspicious activity on the victim’s Apple ID and asked for a one-time verification code to prove the owner of the Apple ID account.
“After giving the 6 digit verification code, the scammers hung up and his MetaMask wallet was wiped, with over [USD] 650,000 stolen,” Serpent said, adding that this was possible because the user’s seed phrase was saved on their iCloud.
3/ MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim’s Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim’s MetaMask.
— Serpent (@Serpent) April 17, 2022
In total, the user lost ETH 132.86 (USD 387,500) and USDT 252,400, currently worth some USD 639,900. Notably, the stolen funds were worth north of USD 655,000 on the day of the incident when ETH was trading much higher.
Meanwhile, in a recent Twitter thread, Taylor Monahan, founder and CEO at MyCrypto, an Ethereum wallet manager, noted the countless ways that a MetaMask wallet user can lose their secret recovery phrase and “get rekt.”
She detailed that sharing the secret recovery phrase on websites, chatbox, and email, sharing computer screen, clicking on malicious links, and having iCloud backup enabled, among others, could all lead to bad actors gaining access to users’ funds.
Meanwhile, some users blamed MetaMask for storing the seed phrase on iCloud, asking for a quick fix.
“The fact that Metamask stores your phrase on iCloud is a major security risk especially when it comes to social engineering and how large the industry is,” one Twitter user said. “Metamask needs to disable that feature or make it tougher for malicious actors.”
____
Learn more:
– Scammers Impersonate CoinMarketCap to Sell Fake ‘CMC’ Tokens
– Here’s How You Can Protect Yourself Against Phishing as Trezor is Attacked
– Bored Ape Yacht Club and MetaMask Join the Altcoinization Bandwagon
– Decentralization Debate Heats Up Again as MetaMask, OpenSea Block Users
– MetaMask to Add Support for NFTs
– MyCryptoMetaMask Ethereum Move