MetaMask Security Report: December 2024

Clifford Stoll – aka "the mad scientist who wrote the book on how to hunt hackers" – posing in his workshop in California.

🎙️ MetaMask in the security ecosystem 🔎

The long con: pig butchering, wallet drainers, and job scams

ICYMI, Luker gave an overview on how social engineering is employed by script kiddies, crime cartels, and advanced persistent threats alike. Hear how users are robbed, crypto companies and devs are hoodwinked, and what nefarious practices are behind the swine slaughtering that keeps her up at night. Enjoy!

What same origin iframes are used for

Same-origin realms are a way for browsers to securely run scripts and isolate different web pages that come from the same source. They are particularly useful for improving security when dealing with embedded content, such as iframes, or when loading untrusted scripts.

Gal Weizman’s article explores how developers can use these realms to create safer, more efficient web applications. He highlights Realms-Initialization-Control (RIC), which would allow developers to control how scripts are initialized, adding an extra layer of security. This can help prevent common web vulnerabilities and make applications more robust. The challenge is to balance security with ease of development, but advancements like these are paving the way for a safer web.

Lazarus and job scam malware

Taylor Monahan recently highlighted how the DPRK-linked Lazarus Group employs sophisticated social engineering tactics, such as contacting employees through social media or messaging apps, directing them to GitHub repositories under the guise of job offers or technical assistance, and compromising individual devices to gain access to company infrastructure.

In one real-world example, an employee's device was compromised after interacting with a fake persona on LinkedIn. The attacker maintained communication, even compensating the employee with cryptocurrency to build trust, before eventually exploiting the access to steal over $2 million.

As a follow-up, MetaMask shared an easy-to-digest list of things to look out for when contacted by someone online.

Meanwhile…

The fascinating security model of dark web marketplaces

Evan Boehs outlines how the dark web offers anonymity and legitimate uses, but is also full of risks—scams, malware, and trust issues are the norm. Anonymous sellers can disappear mid-transaction, malicious links lurk everywhere, and a single misstep can expose your identity.

To stay safe, use tools like Tor, practice good cryptocurrency hygiene, and maintain a zero-trust mindset.

Ethereum Protocol Attackathon is live

Immunify's Attackathon has officially launched. Running until January 20, 2025, this large-scale crowdsourced security audit competition aims to strengthen the Ethereum protocol's security. The event invites participants ranging from professional auditing firms to independent security researchers to compete for a $1,500,000 reward pool.

⚠️ Tales of caution⚠️

Solana library supply chain attack exposes cryptocurrency wallets

Summary

Solana suffered a supply chain attack targeting the widely utilized @solana/web3.js npm library, aiming to compromise private keys and siphon funds. The malicious versions, identified as 1.95.6 and 1.95.7, were briefly available on December 2, 2024, before being swiftly removed from circulation.

The attackers are believed to have gained access through phishing techniques, and successfully injected harmful code into the library. This code was designed to exfiltrate private keys to a server under the attackers' control, identified as sol-rpc[.]xyz, notably registered just days before the breach. Cloud security researcher Christophe Tafani-Dereeper uncovered a backdoor function named “addToQueue” within the package, which specifically targeted key-sensitive operations.

How Users Can Protect Themselves

In response to the attack, Solana Labs, alongside security experts, have issued recommendations for developers potentially affected by the compromised library versions. These include conducting thorough audits of dependencies to pinpoint any usage of the malicious versions, updating to the secure version 1.95.8 immediately, and rotating keys where compromise is suspected.

AI code poisoning attacks on the rise

Summary

Scammers now target AI training data, embedding malicious crypto code to exploit users. In this case, the code involved sending a private key through an API recommended by @OpenAI. The scam was executed swiftly, and the user’s assets were drained into a thief’s wallet within 30 minutes of using the API.

How users can protect themselves

This incident highlights the critical need for caution when using AI-generated code, especially in crypto. Always double-check AI recommendations to verify the legitimacy of websites and APIs suggested by AI services. When experimenting with new tools or code, use test wallets containing minimal funds to reduce potential losses in case of errors or vulnerabilities. Additionally, stay informed about scams by keeping up with common tactics and known malicious sites within the crypto community.

Wallstreetbets X account compromised, victim drained on Solana for over $2.2M worth of meme coins

Summary

In a significant breach of WallStreetBets' X account, hackers made off with meme coins valued at over US$2.2 million on the Solana blockchain. The exploit, identified by blockchain detective ZachXBT, was traced back to a vulnerability within X’s mobile application. The stolen assets included 1,430,000 PNUT tokens, 400,000 ZEREBRO tokens, and 130,000 ALCH tokens. The hackers incorporated passkeys to control WallStreetBets even after WallStreetBets removed their access.

How users can protect themselves

If you come across any links on social media hyping up some new token investment, take a moment to consider the legitimacy before clicking. These links can be very tempting, promising significant returns and exclusive chances to get in early, but that's precisely how people get compromised. Double-check where those links are taking you, and undertake due diligence to verify the legitimacy of what is promised.

Ongoing exploits from LastPass incident

Summary

ZachXBT has exposed a significant cryptocurrency theft orchestrated by the "LastPass threat actor", leading to a loss of approximately $5.36 million from over 40 victim addresses. This breach, linked to a December 2022 incident in which LastPass reported unauthorized access to encrypted vault data, has now contributed to over $250 million in total crypto losses. The attackers specifically targeted users who stored their private keys or secret recovery phrases (SRPs) in LastPass vaults, exploiting the centralized storage's vulnerabilities.

How users can protect themselves

1. Regular audits: periodically review where and how your digital assets are stored. Ensure that any storage solution you use adheres to the highest security standards.
2. Secure storage: avoid storing private keys or SRPs in centralized password managers. Consider using hardware wallets or other secure offline storage methods for sensitive information.
3. Immediate action: if you have used LastPass to store any crypto-related data, consider transferring your assets to a new wallet and changing ownership of any contracts or multisig wallets as a precaution.
4. Stay informed: follow reputable cybersecurity experts and platforms for the latest news on security threats and best practices for safeguarding your assets.

Looking for more? Head here to peruse previous editions of Luker's MetaMask Security Reports.