MetaMask Security Monthly: May 2024

Father of the videogame cartridge Gerald “Jerry” Lawson

🦊 What We’ve Been Up To 🦊

Introducing Smart Transactions

Transaction inefficiencies aren't always necessarily a security matter, but they can cost our users money and we don't like that. So this month, MetaMask unveiled Smart Transactions that can deliver a 99.5% transaction success rate, MEV protection, pre-simulation, and improved gas settings. As our Executive Product Director Gal Eldar put it:

“At MetaMask, we believe that wallets are uniquely positioned—and in many ways responsible—for addressing these user pain points head-on. The creation of Smart Transactions serves as our commitment to take an even more active role in tackling some of these challenges and to continue innovating at new layers of the wallet experience as part of our efforts to make the process of submitting transactions not just easier and safer but also more efficient and predictable for everyone. Democratizing access to decentralized technologies is a long and winding journey, and Smart Transactions are an important and bold step toward this end.”

User Guide: Secret Recovery Phrase, Password, and Private Keys

In our continuous quest to educate our users, this recent support article co-authored by Oliver Renwick and Joel Willmore is aimed at teaching newcomers tips to avoid getting themselves rekt. If you have people in your life who are interested in getting their web3 feet wet, point them to the resources we have available at https://support.metamask.io/.

🎙️ MetaMask in the Security Ecosystem 🔎

MetaMask Snaps, Security and Due Diligence

Christian Montoya is at it again! Check out the X Space he co-hosted with HAPI to discuss how Snaps enables innovation that makes users more secure.

“One of the most important things is that security is multifaceted and what that means is that there's lots of different stages within your journey as a user in web3 ... where security products are needed. Usually, when people talk about security, they'll talk about one specific area, like 'get a hardware wallet.' A hardware wallet is great but it doesn't protect you if you sign something on a dapp that gives [a bad actor] access to your assets. You can still get drained from a hardware wallet if you interact with a malicious dapp ... At MetaMask we're focused on bringing on security providers and shipping solutions in lots of different areas.”

The Snaps Directory is growing all the time! Click here to see a full list of Security Snaps.

Taylor Monahan Explains $10M Hack and How to Stay Safe in Crypto in Interview with The Defiant

original interview with @DefiantNews is here

(my opinion on root cause has evolved over time and with add'l investigation but the facts have not changed)https://t.co/cPpcZcEitV

— Tay 💖 (@tayvano_) May 8, 2024

Meanwhile…

Pink Drainer Shuts Down

Pink Drainer, a notorious crypto wallet drainer, amassed over $85 million by exploiting around 20K victims through sophisticated phishing schemes. Pink Drainer recently announced they are shutting down citing: “We have reached our goal and now, according to plan, it's time for us to retire.” Despite Pink Drainer's end, the threat of similar operations looms. Pink Drainer wrote, “It is very likely that our retirement will have no major impact on the scene, people will move on to other drainers just as quickly as they moved to us.”

Although Pink Drainer is retiring, there are still other popular active wallet drainers. Keeping substantial funds in hardware wallets is highly recommended, while wallets used for daily transactions should contain only minimal assets. Taking these steps can help safeguard against the loss of substantial cryptocurrency holdings. Using different accounts for different transactions based on the level of risk can also mitigate against potential damages.

🚨💰 According to @zachxbt, Pink Drainer is shutting down after siphoning off over $75M from around 20k victims in just a year. pic.twitter.com/eg1AUjHJwl

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) May 17, 2024

⚠️ Tales of Caution ⚠️

Lazarus(APT-Q-1) Secret Stealing Operation

Summary

Lazarus, an APT group, has been active since 2007, gaining notoriety for its 2014 Sony Pictures attack. Initially focusing on government agencies to steal intelligence, it shifted in 2014 towards targeting global financial institutions and virtual currency trading venues, engaging in the theft of money and assets. The group has employed phishing attacks through fake social accounts that offer bogus job opportunities to individuals in specific industries. Recently, security researchers uncovered a series of attacks involving ZIP files with malicious JS code targeting blockchain developers through job postings on platforms like LinkedIn, Upwork, and Braintrust. These attacks, consistent with Lazarus's "Contagious Interview" campaign, involve tricking candidates into running malicious code that steals crypto-related information and implants malware.

How Users Can Protect Themselves

To protect against phishing and malware attacks like those executed by groups such as Lazarus, it's crucial to verify the legitimacy of unexpected job offers through independent research and to maintain robust digital hygiene. This includes using up-to-date anti-virus and anti-malware software, enabling multi-factor authentication (MFA) for an added layer of security, and exercising caution with email attachments and links from unknown sources. Additionally, keeping all software updated is essential to guard against exploitable vulnerabilities. By adopting these practices, individuals can significantly bolster their defenses against sophisticated cyber threats and safeguard their sensitive information

Address Poisoning Attacks on the Rise, leading a recent victim to a $68M Loss

Summary

Address poisoning is a deceptive tactic where attackers manipulate victims' transaction histories to trick them into sending funds to the wrong address. This method involves creating fake tokens, using 'vanity' addresses that closely resemble the target's, and exploiting the ERC-20 token standard's "transferFrom()" function. Attackers employ these strategies to conduct zero-value token transfers and spoofed token transfers, making their fraudulent addresses appear legitimate. These attacks are designed to confuse users into copying the wrong address for their transactions, leading to financial losses. The sophistication of these methods highlights the evolving nature of cyber threats in the blockchain space.

How Users Can Protect Themselves

To protect against address poisoning, users should avoid copying addresses directly from their transaction history and instead, copy them from a trusted source. Implementing domain names for addresses can enhance distinguishability, though users must be cautious of domain name spoofing. Utilizing an address book feature provided by wallet services or adding a private name tag on platforms like Etherscan to whitelist trusted addresses can help users easily identify and avoid spoofed addresses.