MetaMask, a popular crypto wallet app, is being targeted due to a design flaw on iOS. A phishing scam that involves a call that appears to come from Apple is able to drain MetaMask wallets by way of a default setting that could definitely be called a security flaw; the app writes the security seed phrase needed for remote access to iCloud backups unless this aspect is manually disabled.
MetaMask has issued a warning to its users making use of Apple devices like the iPhone, iPad, and Mac to disable iCloud backups to prevent phishing attacks. MetaMask made this known in a recent tweet where the company shared that encrypted passwords for users’ crypto accounts, known as MetaMask vaults, are automatically uploaded to Apple’s cloud service if the iCloud backup option is enabled on the app.
The scammer on the phone, who had spoofed caller ID to pretend to be Apple, told Iacovone that there had been suspicious activity on his Apple iCloud account. All Iacovone had to do to resolve the issue, he was told, was confirm that he was the genuine user of the account by sharing a one-time verification code that his phone was about to receive.
Iacovone, who says he was lulled into a false sense of security because the caller had an American accent, duly handed over the six-digit code. The scammer duly promptly hung up the call and emptied $650,000 worth of funds and NFTs from his MetaMask cryptocurrency wallet.
In addition, MetaMask explained that customers could disable iCloud backups by turning off certain features on the platform. (Source- Twitter)
The warning comes a few days after a Twitter user, going by the initials “revive_dom,” had his entire MetaMask wallet (containing $650K worth of cryptocurrencies and NFTs) wiped by hackers.
Another user reported in a tweet that his entire wallet has been stolen
Regarding this occurrence, neither MetaMask nor Apple seems to be at blame. The problem happened due to Iacovone’s lax operational security combined with a natural function on Apple devices that users can disable. Nonetheless, the MetaMask team has recommended that users stop iCloud backups, detailing how to do so in a blog post.
How is a user attacked?
Step 1
Once they know your Apple ID email address, scammers will make a lot of Apple ID password reset attempts, and you will receive many text messages, making you worry that there’s a security issue with your Apple ID.
Step 2
Then, scammers will impersonate Apple and contact you via phone. They inform you that there was suspicious activity with your Apple ID and that to prove you are the genuine owner, they need you to provide a 6-digit verification code.
Step 3
In fact, the code was generated when the scammers tried to log in to your account. With it, they can reset your Apple ID password and gain access to all the data stored on your iCloud, including the seed phrase of your MetaMask wallet.
What does that mean? Well, they can then take control of your MetaMask account and transfer all your crypto assets away. What’s worse, since cryptocurrencies are decentralized, it would be nearly impossible to get them back! Watch out!
Tips to protect against phishing Attacks:
- Never give anyone a verification code sent to you by Apple, Instagram, or any other service – they might be trying to break into your account.
- Remember Caller ID can be spoofed by scammers, to disguise themselves as other people or companies.
- Double-check callers’ phone numbers, but keep in mind that caller IDs can be spoofed. Besides, remember that Apple will most likely not call you.
- Never share any verification code with anyone.
- Use a cold wallet to store your crypto assets to avoid phishing scams.
- Start using a cold hardware wallet for your cryptocurrency, rather than a software one.
- Check your phone settings to ensure that only the data you want to backup to Apple iCloud is being backed up.
- Disable iCloud backups for your MetaMask data via Settings > Profile > iCloud > Manage Storage > Backups. Also, turn off automatic iCloud backups via Settings > Apple ID/iCloud > iCloud > iCloud Backup.
Finally, keeping your investments out of social media and other public channels makes you less of a target as hackers are keeping an eye for fresh, high-value victims and stop showing off on social media about your cryptocurrency investments – you might attract unwanted attention.
Image Source
- Crypto News BlockMagnates: Photo by AbsolutVision on Unsplash