Popular software crypto wallet MetaMask has issued a warning about possible phishing attacks through Apple’s cloud service iCloud. The warning comes after scammers managed to steal USD 650,000 worth of crypto using this attack vector.
The company detailed that MetaMask vaults, the encrypted passwords also known as seed phrases, are uploaded to iCloud if the backup option is enabled. This would enable scammers to gain access to the seed phrase as soon as they compromise a user’s iCloud account.
“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault,” MetaMask said. “If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds.”
MetaMask also provided users with a guide on how to disable iCloud backups for MetaMask.
If you want to avoid iCloud surprising you with unrequested backups in the future, you can turn off this feature at:
Settings > Apple ID/iCloud > iCloud > iCloud Backup
3/3— MetaMask 🦊💙 (@MetaMask) April 17, 2022
The warning comes after scammers used this attack vector to drain funds from a user’s MetaMask wallet. Called Domenic Iacovone on Twitter, the user says he received a call from “Apple.”
This is how it happened, Got a phone call from apple, literally from apple (on my caller Id) Called it back because I suspected fraud and it was an apple number. So I believed them
They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped— Domenic Iacovone (@revive_dom) April 14, 2022
The user got multiple text messages asking him to reset his Apple ID password on April 15, according to Serpent, founder of Sentinel, a discord and crypto threat mitigation system.
The messages came from a spoofed caller ID trying to impersonate “Apple Inc.” They said there was suspicious activity on the victim’s Apple ID and asked for a one-time verification code to prove the owner of the Apple ID account.
“After giving the 6 digit verification code, the scammers hung up and his MetaMask wallet was wiped, with over [USD] 650,000 stolen,” Serpent said, adding that this was possible because the user’s seed phrase was saved on their iCloud.
3/ MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim’s Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim’s MetaMask.
— Serpent (@Serpent) April 17, 2022
In total, the user lost ETH 132.86 (USD 387,500) and USDT 252,400, currently worth some USD 639,900. Notably, the stolen funds were worth north of USD 655,000 on the day of the incident when ETH was trading much higher.
Meanwhile, in a recent Twitter thread, Taylor Monahan, founder and CEO at MyCrypto, an Ethereum wallet manager, noted the countless ways that a MetaMask wallet user can lose their secret recovery phrase and “get rekt.”
She detailed that sharing the secret recovery phrase on websites, chatbox, and email, sharing computer screen, clicking on malicious links, and having iCloud backup enabled, among others, could all lead to bad actors gaining access to users’ funds.
hacker the 6 digits that display on your device within a few minutes AND press okay on that pop up too AND you give the hacker the pw you initially used when setting up MM on the device that you had turned on iCloud backup app data on for then, yup, you’ll get fucking rekt! pic.twitter.com/0TIMrsQUtJ
— Taylor Monahan 🦊💙 (@tayvano_) April 17, 2022
Meanwhile, some users blamed MetaMask for storing the seed phrase on iCloud, asking for a quick fix.
“The fact that Metamask stores your phrase on iCloud is a major security risk especially when it comes to social engineering and how large the industry is,” one Twitter user said. “Metamask needs to disable that feature or make it tougher for malicious actors.”
100% metamask will need to fix that shite https://t.co/M9E3DBt8p5
— Br Br the podcast Snek (@bryanbrake) April 17, 2022
Source: Cryptonews
