MetaMask Security Monthly: June 2024

Ben Barres was instrumental in discovering the interaction of glial cells and neurons in the nervous system.

🦊 What We’ve Been Up To 🦊

Privacy Preserving Features in MetaMask

Privacy and security go hand-in-hand and we take our users’ privacy very seriously. This month, in the spirit of informed consent, we released an updated policy to let users know what we’re doing to keep them safe and provide them with greater transparency and control over their personal data. You can read our announcement and the full notice, as well as check out our Privacy and Security resources.

MetaMask may temporarily process your IP address only where required for some of our Services (depending on your MetaMask settings) to provide the best possible experience for MetaMask users. This includes, for example, the prevention of DDoS attacks.

• We do not collect your private keys.
• We do not sell your Personal Information.
• We do not collect or retain Personal Information unless necessary to provide you the Services and a great user experience.
• We do not collect financial payment or banking information. However, when you use our on- or off-ramp features these services may necessitate you submitting this information to third-party providers.

Consensys Acquires Wallet Guard to Enhance MetaMask Security

We’re incredibly excited to have this amazing team officially join forces with us in our quest to deliver the most secure experience possible to MetaMask users! “This integration will enhance MetaMask’s security by improving scam and drainer detection through transaction validation and client-side heuristics, thereby providing users with superior real-time protection against malicious dapps and scams while preserving privacy and self-sovereignty.”

LavaMoat’s New Website

You can now find everything LavaMoat at lavamoat.github.io, including an introductory video on how this open source set of tools can secure JavaScript projects against supply chain attacks. MetaMask’s Zb recently brought the Defensive Coding workshop he held at DEFCON last summer to the Confidence and X33FCON conferences to spread the word about LavaMoat.

🎙️ MetaMask in the Security Ecosystem 🔎

State of Security: MetaMask X WalletGuard

The latest in our quarterly series features Ryan Jones and Gal Wiezman who join Ohm and Michael to talk about transaction simulations, interoperability, MetaMask Portfolio, and using LavaMoat to protect against supply chain attacks. As always, we’ll also give you tips on being safe as you navigate the crypto space.

https://t.co/A455AvIYcB

— MetaMask 🦊🫰 (@MetaMask) June 25, 2024

Meanwhile…

Employment Scams Are on the Rise

This month, the US FBI released a PSA urging those seeking work-from-home employment to exercise caution. While crypto- and blockchain-related jobs were not specifically mentioned, MetMask’s Threat Intelligence and User Safety teams have heard many stories that indicate our community is particularly targeted. Any unsolicited job offers should be treated with extra suspicion, and you should never click links, download files, or view attachments from these untrusted messages. Definitely do not engage if “you are directed to make cryptocurrency payments to your employer as part of a job.”

Evidence indicates that a significant number of these scams are related to advanced persistent threat (APT) groups that are often state-sponsored. Crypto-related businesses should also be extremely vigilant when interviewing applicants, as this has also become a popular attack vector. Make sure to conduct thorough interviews that include verified, consistent background information and require applicants to be on camera.

literally every developer we've interviewed recently has likely been a north korean.

— zak.eth (@0xzak) June 21, 2024

Legal Defense Fund for SEAL’s Whitehat Safe Harbor

Ethical whitehat hackers are a cornerstone of our industry. These researchers uncover and responsibly disclose vulnerabilities before bad actors are able to exploit them. However, as the Security Alliance (SEAL) recently explained, web2’s history shows that “this important work can sometimes lead to significant legal risks and subsequent costs, particularly when their research and disclosures are unwelcome or misunderstood.” Therefore, SEAL has launched an initiative with the Security Research Legal Defense Fund to provide legal resources to eligible researchers who use the Whitehat Safe Harbor Agreement.

⚠️ Tales of Caution ⚠️

User Loses $11M to Signature Phishing

Summary

On June 22nd, a user signed multiple permit phishing signatures, which resulted in a loss of US$11 million worth of tokens. It was further revealed that the victim was a MakerDAO governance delegate. SEAL researcher Pcaversaccio believes signature phishing is the biggest problem in our industry, stating users don’t care about the warnings and they consider the consequences of signing them. MetaMask's @tayvano revealed a total estimate of $600M+ in damages from approval phishing scams since 2021.

How Users Can Protect Themselves

Users can protect themselves by following three primary steps. (1) Limit the assets of the wallet you browse daily with. If you sign a malicious signature, the impact will be minimized. (2) Validate the domain the signature request originates from and verify it matches the domain of the original project. A quick way to do this is to navigate to the project's official social media or blog page and check that the domains from these profiles match the request. (3) Validate the token and address contents of the request. The request will often involve a token you did not intend to send. The spender address and or the to address of the transactions will be different than the address you intended. These simple checks can save you from unintended fund loss.

23K Phishing Emails Sent After CoinGeko's 3rd-Party Email Service is Compromised

Summary

CoinGecko, a cryptocurrency data aggregator, experienced a data breach on June 5 due to a compromised account at their third-party email marketing platform, GetResponse. An attacker accessed nearly 2 million contacts and sent 23,723 phishing emails from another client's account within GetResponse. The breach exposed users' names, emails, IP addresses, and locations, but CoinGecko's user accounts and passwords remained secure. CoinGecko is investigating the breach with GetResponse, informing affected users, and reviewing security procedures to enhance protocols.

How Users Can Protect Themselves

It’s recommended that users use caution when approaching emails about claim airdrops or tokens. Users should also avoid clicking links or downloading attachments from unsolicited emails. Crypto projects should be aware of the security controls used by the third-party vendors they are collaborating with.

SlowMist Reveals How a Malicious Aggr Chrome Extension Stole $1M+ in Crypto

Summary

Aggr, marketed as a trading data aggregator, is a Chrome extension. In early June, a Binance user reported a loss of US$1 million in cryptocurrency, which was traced back to the Aggr plugin as the attack vector. SlowMist uncovered that Aggr harvested the cookies of traders utilizing the extension, specifically targeting cookies associated with cryptocurrency exchanges. With these cookies, the malicious actors behind Aggr were able to gain entry to Centralized Exchange (CEX) portals and take control of the victims' cryptocurrency wallets.

How Users Can Protect Themselves

It's crucial for users to be vigilant when downloading any software onto their computers, including applications from browser stores. Researching the developers of extensions is an important step in ensuring safety. A simple review of their personal profile or recent track record should give you a good gauge of whether you can trust them. Developers who are anonymous or have no previous history available should be avoided in favor of those who are verified and reputable. Additionally, reviewing the app may give you more insight into its credibility.