MetaMask Security Monthly: January 2024

George Robert Carruthers and the Lunar Surface Ultraviolet Camera

🎙️ MetaMask in the Security Ecosystem 🔎

Inside the Early 2024 War Rooms with Taylor Monahan

In just the first week of January, Orbit, Radiant, and Gamma all suffered apparent attacks. When these events occur, security researchers spring into action to join war rooms that try to mitigate the damage. But even with the Seal 911 group of auditors and white-hat hackers that was created last August, are we anywhere close to ready for the carnage that might come with the next bull run? Monahan talks about the dangers of bad actors ranging from "script-kiddies'' to APTs, and the lack of accountability when protocols get hacked. It does appear that at least the Orbit hack has the hallmarks of a DPRK-sponsored attack.

Dan Finlay Talks Safety and Authority for AI and LLM

The video of Dan’s talk during the Istanbul ‘23 Builder Nights dropped this month. He covers user custody, anti-monopoly, the principle of least authority, object identity, language-level security and more in this jam packed presentation!

Meanwhile…

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

From KrebsOnSecurity: Early January saw the arrest of a 19-year-old who was accused of "wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency," and may be connected to organized black hat groups. Oktapus in particular is so-named for their methods of stealing Okta credentials through phishing pages. The accused, Noah Michael Urban aka Sosa aka King Bob, was apparently also after obtaining unreleased songs from popular artists. This wild story also involves violent beefs between SIM-swapping gangs.

A Rise in Employment Scams

We’ve seen a steady uptick in employment scams over the past few months that involve threat actors both “seeking employment”—only to send malicious attachments with their application materials or even attempt to infiltrate companies—and posing as companies looking to hire. Twitter user 0xMario accounts his experience with scammers pushing a job opportunity “related to a Solidity position for a Web3 game that involved NFTs, in-game economies, etc.”

🚨 SCAM ALERT 🚨

Today I was targeted by the most sophisticated scam I have experienced so far.

Luckily, they didn't manage to steal a single cent from me, but I could have lost everything I had and it could easily happen to you.

Thread 🧵👇

— 0xMario 🐷 (@0xM4R10) January 14, 2024

Tales of Caution

MailerLite Compromise Leads to Scam Emails from Cointelegraph, WalletConnect, Token Terminal and Others

Summary

Scammers have reportedly stolen over $580,000 USD in cryptocurrency in a phishing attack that used the official email addresses of major Web3 companies, including Cointelegraph, WalletConnect, and Token Terminal. The email service provider MailerLite, allegedly hacked, is currently investigating the issue. The phishing emails contained malicious links leading to a multi-chain address. WalletConnect and other Web3 users have been targeted with emails promoting a launchpad launch and a fake Token Terminal beta launch, both containing links to fictitious airdrops. Cybersecurity platform Hudson Rock suggests that a malware program found on a MailerLite employee's computer might have been used to gain access to MailerLite’s servers for data theft and further attacks.

How Users Can Protect Themselves

To enhance protection against phishing attacks, users should approach unsolicited emails with caution, regularly update and run antivirus software, and enable Blockaid security alerts in their MetaMask settings. This additional measure has proven effective in recent attacks, as all users who had Blockaid alerts enabled were safeguarded from this phishing attempt.

NFT Airdrop Campaign Resurfaces

Summary

Check Point Research walks through a large-scale NFT scam campaign that uses a source spoofing technique to target a wide range of token holders. This is a common campaign that scammers with a good understanding of Ethereum smart contracts use to spoof Etherscan logs. The scam involves sending airdrops that appear to come from reputable sources to token holders, who are then directed to a fraudulent website where they are tricked into authorizing the attacker to drain their wallets. The scam is sophisticated, utilizing complex smart contract interactions and a proxy contract to obfuscate the true nature of the transactions.

How Users Can Protect Themselves

Users should approach unsolicited airdrops with caution, scrutinize embedded links in digital assets, and understand the implications of interacting with smart contracts. Users should stay informed about scam tactics, use trusted tools for verifying transactions, and double-check sources of airdrops or transactions. Safe browsing practices and securing assets, such as using hardware wallets for storing significant amounts of cryptocurrency, are recommended. As the blockchain ecosystem evolves, education, caution, and skepticism remain key defenses against potential threats.

Cracked Software Loaded with Backdoors to Steal Cryptocurrency

Summary

Kaspersky discovered a sophisticated macOS malware campaign that targets users through cracked apps found on pirating websites. The malware, embedded in repackaged pre-cracked applications, initiates an infection through a Trojan proxy and a post-install script. The malware is capable of running on macOS Ventura 13.6 and later, suggesting a focus on users of newer operating systems. The malware uses a program named "Activator" to execute its payload, which includes stealing cryptocurrency wallets. The malware campaign is still a work-in-progress, with the operators frequently updating the malicious scripts. The final payload is a backdoor that can run any scripts with administrator privileges and replace Exodus and Bitcoin cryptocurrency wallet applications with infected versions that steal secret recovery phrases.

How Users Can Protect Themselves

To safeguard against malware attacks, users should strictly download and install applications from official platforms or trusted third-party app stores, avoiding unverified or pirating websites. It's crucial to keep your operating system and all applications updated, as updates often include security patches that guard against known vulnerabilities. Utilizing reliable antivirus or anti-malware software, which should be regularly updated, can help detect and eliminate many types of malware.