Hackers steal $655K after picking MetaMask seed from iCloud backup

2022-04-19

admin

MetaMask, cryptocurrency wallet provider, has sent out a notification to its community warning them that they may be susceptible to ongoing phishing attacks if they make use of Apple iCloud.

The security issue for Mac, iPad, and iPhone users relates to the default device settings. These settings store and automatically backup the users’ app data if they opted for automatic backups on their devices.

MetaMask has warned its community that the MetaMask app data includes the user’s seed phrase for their wallets and that the seed phrase will be stored online with automatic backups–posing a serious threat to the security of the user’s cryptocurrency funds.

🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3
— MetaMask 🦊🫰 (@MetaMask) April 17, 2022

Real phishing case

Unfortunately, the scenario above was already used against at least one MetaMask user who has lost over $655k as a result of a well-crafted phishing attack.

https://twitter.com/Serpent/status/1515545806857990149

We at Alvosec always advise users to protect the entire environment where you deal with your cryptocurrency funds. If you are using backup then that backup must be properly secured, if you are using wallet on your PC then OS must be secured, if wallet is used on mobile device, then it must be protected.

Everyone must understand that sharing passphrase or seed is NOT only attack vector that can get you compromised. There are various types of attacks that can lead to data loss.
— Alvosec 🛡️ (@alvosec) April 19, 2022

How attack happened

From what we know, attacker spoofed caller ID, in order to gain higher level of trust and from there this individual unfortunately gave attackers OTP code, so that they were able to login in his iCloud.

What we did, we tried to spoof ID to show users that it is possible to do that. Here is an example of it:

How to protect yourself — 5 tips

Double-check callers’ phone numbers, but keep in mind that caller IDs can be spoofed. Besides, remember that Apple will most likely not call you.
Never share any verification code with anyone.
Use a cold wallet to store your crypto assets to avoid phishing scams.
Disable iCloud backups for your MetaMask data via Settings > Profile > iCloud > Manage Storage > Backups. Also, turn off automatic iCloud backups via Settings > Apple ID/iCloud > iCloud > iCloud Backup.
Be smart with your personal information — scammers can use leaked information for phishing attempts.

Keep educating yourself by reading our blog.