MetaMask Security Monthly: April 2024

Structural engineer and architect Fazlur Rahman Kahn was a pioneer in computer-aided design and is considered the "father of tubular designs" for high-rises.

🦊 What We’ve Been Up To 🦊

LavaMoat and Snow Updates from Security Lab

Recently, MetaMask's Security Lab submitted a proposal to the W3C for incubation. This would introduce a basic functionality that we'd use to ship Snow.js on the user end instead of LavaMoat. The shift aims to embed it directly into the browser, making bypass virtually impossible. This move is crucial for the ongoing development of Snow and plays a key role in addressing and safeguarding against the Same Origin Concern.

We've upgraded our policy generation to support ECMAScript Modules (ESM), meaning we now accommodate import and export syntax, moving beyond the traditional require module system in LavaMoat. This enhancement allows us to generate policies for files using ESM syntax, both for the webpack plugin and for our new tool that's being developed on top of Endo.

Support for target: 'node' is coming to the LavaMoat Webpack Plugin in the next release. We've made it handle the concept of built-in modules.

Lockdown has now been permanently released on MetaMask mobile for iOS.

We're also in the process of enhancing our docs to streamline the LavaMoat onboarding experience for the wider ecosystem. We're putting together educational videos to demystify LavaMoat's mechanics and showcase optimal usage practices for applications. With the introduction of the new ESM-compatible LavaMoat runner, our immediate focus is to bridge any functionality gaps left by the transition from lavaMoat-node.

🎙️ MetaMask in the Security Ecosystem 🔎

Overview of LavaDome by Gal Weizman

In the current web development landscape, trust in the code within web applications is compromised, rendering traditional security measures like the Same Origin Policy inadequate. This issue now encompasses protecting web apps from internal threats as well, altering web system architectures. MetaMask is addressing these challenges by developing security tools, including LavaDome, an experimental solution designed to safely display sensitive information in the DOM without fear of it being stolen by malicious code through methods like XSS or supply chain attacks.

Introducing LavaDome 🌋

A new LavaMoat [EXPERIMENTAL ⚠️] security tool for safely displaying sensitive information to the user.

PIN code? Seed phrase? Private key? PII?

Use LavaDome to easily render them to the DOM with close to zero integration fraction - SECURELY🔒

A 🧵: pic.twitter.com/Cy9hF1jhMh

— Gal Weizman (@WeizmanGal) April 18, 2024

Fake Lawsuit Threat Exposes Privnote Phishing Sites

Recently, a cybercriminal involved in creating counterfeit versions of the self-destructing message service privnote.com inadvertently revealed the extent of their operations upon threatening a lawsuit against MetaMask. After some very light detective work, Taylor Monahan pointed out that this slip-up exposed a lucrative network of phishing sites. These sites mimic the authentic Privnote in appearance and functionality, with one critical difference: Any messages featuring cryptocurrency addresses are automatically modified to replace the original payment address with one owned by the fraudsters.

How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

ZachXBT with help from Taylor Monahan and other security researchers was able to follow the breadcrumbs of transactions to mixers and centralized exchanges used by the infamous Lazarus Group to launder millions of dollars stolen through crypto hacks over the last few years. Read the full writeup or check out his thread.

1/ How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020 - 2023https://t.co/s8zNFwlamb

— ZachXBT (@zachxbt) April 29, 2024

Meanwhile…

Security Alliance (SEAL) Launches Free, Crypto-Native ISAC

The SEAL 911 initiative, which has led to the recovery of over $50M USD since its launch last year, is now operating an Information Sharing and Analysis Center (ISAC). The ISAC is free, specific to open-source crypto solutions, and supportive of both centralized and decentralized entities. SEAL 911 is inviting key stakeholders from the following types of organizations to apply:

• Cryptocurrency exchanges and trading platforms
• Blockchain development projects and platforms
• Wallet providers and crypto storage solutions
• Mining pools and infrastructure providers
• Cybersecurity firms and researchers specializing in blockchain and cryptocurrency
• Regulation and compliance experts

Today, we're launching the latest @_SEAL_Org initiative, and it's going to change crypto security forever. It's called SEAL-ISAC, and this is why we need it pic.twitter.com/Ra6Vl3jfd3

— samczsun (@samczsun) April 17, 2024

A Brief Analysis of Angel Drainer by Bernhard Mueller

Check out this comprehensive analysis of one of the most notorious drainer services that is currently operational. Although the illicit service promotes a way to bypass Blockaid detection, the Blockaid feature integrated by default into MetaMask effectively identifies the transaction as fraudulent, thwarting its complete success.

⚠️ Tales of Caution ⚠️

LastPass Users Targeted in Phishing Attacks Good Enough to Trick Even the Savvy

Summary

LastPass users were recently targeted by a sophisticated phishing campaign using a combination of email, SMS, and voice calls to steal master passwords. The attackers utilized CryptoChameleon, a phishing-as-a-service kit focused on cryptocurrency accounts, capable of bypassing multi-factor authentication. The campaign involved tricking users into believing their LastPass account was accessed from a new device, leading them to a phishing site designed to capture their credentials. LastPass has taken action against this threat, which is part of a series of attacks targeting the password manager, including a significant breach disclosed last year.

How Users Can Protect Themselves

Always verify the authenticity of any communication claiming to be from a service provider. If you receive a suspicious call, email, or SMS, do not respond directly. Instead, contact the service provider through their official website or customer service number to confirm the communication's legitimacy. You should also be wary of any unsolicited request to provide personal information, click on links, or download attachments, especially if they create a sense of urgency.

Google Sues Two Developers for Putting 87 Fraudulent Crypto Apps on Google Play Store

Summary

Google has initiated legal action against developers Yunfeng Sun and Hongnam Cheung for distributing 87 fraudulent cryptocurrency apps on the Google Play Store, impacting over 100,000 users, 8,700 of whom are in the U.S. The lawsuit, filed in the Southern District of New York, outlines how these apps lured users with the promise of cryptocurrency investments, only to trap them with fees for withdrawing supposed returns. The developers cleverly disguised these apps to mimic legitimate trading platforms, deceiving users into believing they were making genuine investments. Despite Google's efforts to remove these apps, the developers continually evaded detection by altering their identities and network infrastructure, perpetuating their fraudulent scheme on the platform.

How Users Can Protect Themselves

The fraudulent activities of the two scammers, exploiting users' inexperience and employing "pig butchering" tactics to entice investments in their apps, underscore the critical importance of due diligence before engaging with any application. To safeguard against such scams, it's essential to thoroughly research and verify an app's legitimacy, including scrutinizing reviews and feedback from other users on social media. Remember, if an offer seems too good to be true, it likely is. These deceptive apps falsely promised returns on investments, highlighting the need for vigilance when investing in crypto.

Hackers deploy crypto drainers on thousands of WordPress sites

Summary

Nearly 2,000 WordPress sites have been hacked to show fake NFT and discount pop-ups, leading visitors to connect their wallets to crypto drainers that steal funds. Initially, these sites pushed crypto drainers via ads and YouTube, then shifted to brute-forcing admin passwords. Now, they display fraudulent NFT offers, tricking users into connecting wallets to malicious scripts from dynamic-linx[.]com, resulting in theft. Users should only link wallets to trusted platforms.

How Users Can Protect Themselves

Keeping substantial funds in hardware wallets is highly recommended, while wallets used for daily transactions should contain only minimal assets. Taking these steps can help safeguard against the loss of the majority, if not all, of your cryptocurrency holdings. Using different accounts for different transactions based on the level of risk can also mitigate against potential damages.