What Happened With The MetaMask Pishing Attempt?
On June the 7th, a Reddit user known as WeaponizedMath, reported on the famous social network that the site BTCManager was serving a phishing popup affecting users of the MetaMask browser plugin. The site was able to tackle the issue in less than 24 hours after the report was first published.
Phishing Attack On BTCManager
At the moment, there have been no reports about people losing their funds because of the attack. This is partly because of the fast response of the team and the help from the MetaMask team that was able to warn their plugin users.
We are still investigating this @metamask_io phishing attempt. All we know right now is someone got past 2 factor into cloudflare. All the cloudflare info has been changed and the connection from our cloudflare to their server has been severed.
— BTCMANAGER (@btc_manager) June 8, 2018
Apparently, the investigation shows that an attacker was able to make a popup clone of MetaMask asking users to restore their vault with their private key due to updates with the extension. But fortunately, it was not able to steal anything without a real interaction with the users.
Wallet companies or cryptocurrency services companies do not ask users for their seed or private key without any reason. Moreover, it is also important to mention that there are no payment or donation section on the BTCManager site.
In a Medium post, MetaMask wrote about this situation:
“MetaMask will never spontaneously ask you for your seed words, and is actually totally incapable of popping up in the top right without the user clicking the fox (as are all WebExtensions)! If you ever see this kind of popup on a site, contact us immediately!”
The attacker seems to be pointing back at a DigitalOcean IP and the site believes that it is related to an experienced attacker. They informed that it is not possible to release all the information they have about the attack because they want to avoid natural copycats. BTCManager is working hard in order to avoid further similar attacks.
How Did The Pishing Code Affect The Website?
The attacker made two small changes on the Cloudfare account which were completely difficult to detect. After it, through API, they were able to create a new sub-domain used before known as img.btcmanager.com, and the sub-domain directed the request to their server.
BTCManager explains that the attackers were able to gain access to their Cloudfare account because of security problems related to Cloudfare. Because of this, they were able to obtain the API key – which BTCManager does not know how they were able to do that.
The site explains that it delivers an important amount of data every single month to clients from all over the world, and Cloudfare is a solution used to reduce costs and offer good services.
The critical issue related with the API is that Cloudfare has no way to turn it off and limit what it is able to do or not. But, a solution may be to quit Cloudfare services for the time being until the issue is cleared up.
The hacker was able to bypass all the security precautions taken by BTCManager. Additionally, the company explains that this is not the first time that they experience attack attempts. In the past they have been suffering dozens of DDOS attacks.
How To Protect Myself?
BTCManager says that they do not think that it is convenient to quit using MetaMask or similar wallets. But it is important to acknowledge the risks involved. If you are an important investor, it is highly recommended to use a hardware wallet which will store your funds very safely. [Ledger, KeepKey, Trezor]
Hot wallets like the ones used on the phone or in a computer may be very useful, but they do not provide enough security layers as hardware wallets. And of course, it is obvious that they will be not so comfortable for everyday use.
In addition to it, most websites can see the plugins used, and in order to avoid further problems it may be a good idea to use internet with another browser without the wallet you constantly check.
If you want to prevent your site being hacked, then it is important for users to enable the 2-factor authentication, password managers, never using the same passwords, and change passwords regularly.
What About DigitalOcean?
At press time, the company did not help at all and they do not seem moved about the fact that they are being used to serve up phishing attempts. MetaMask said that they will be using all their resources and experience to fight DigitalOcean and shut the hacker down and find out who is behind it.
BTCManager is grateful to WeaponizedMath for the help reporting the problem.