Blockchain

ALERT: Malicious Crypto Browser Extension—Masked MetaMask

UPDATE: 12/03/2020

The MetaMask phisher continues to buy sponsored ads on MetaMask search results. The company urges users to “use direct links, and if you need to use search, watch out for sponsored links!”

Sponsored ads for the fraudulent maskmeha[.]io seem to have been displaced by meramaks[.]io


12/02/2020

Within the past 24 hours, CipherTrace has noticed an uptick of alerts and comments within the online cryptocurrency community of users’ funds being stolen via a Chrome browser extension phishing attack posing as cryptocurrency wallet and browser extension MetaMask. The fraudulent browser extension is directing information to maskmeha[.]io, which then subsequently redirects to https[:]//installmetamask[.]com.

Whois Information for https[:]//installmetamask[.]com

First Seen Date: 11/26/20

Thumbprint: a7f5485707f9ff4dbb3bc75bf78e6029ea5add58

IPs:

172[.]67[.]203[.]220
104[.]27[.]160[.]92

104[.]27[.]161[.]92

Registrar:

Date: 11/29/20

Name: NameCheap, Inc.

VirusTotal currently has this domain flagged with a 0 score and its creation day at 7 days ago. Inspecting this domain further, we found that the domain had been mentioned in a Tweet on November 28, 2020 by Twitter user @dmazorosete who sought a response from MetaMask regarding the potentially fraudulent site.

$WHALE Community on Medium published a post ~18 hours ago instructing users to send $WHALE funds to MetaMask and referenced the https[:]//installmetamask[.]com domain as the MetaMask wallet download page.

The page for the phishing site mirrors the actual MetaMask site quite well, as seen below.

Phishing Site Screenshot
Legitimate MetaMask website
Legitimate MetaMask website

We have alerted and reached out to MetaMask to help take down this malicious browser extension. As always, stay vigilant.

Source: https://ciphertrace.com/alert-malicious-crypto-browser-extension-masked-metamask/