diff --git a/content/blog/metamask-scam-exploration.md b/content/blog/metamask-phishing-exploration.md similarity index 79% rename from content/blog/metamask-scam-exploration.md rename to content/blog/metamask-phishing-exploration.md index 257a928..3736157 100644 --- a/content/blog/metamask-scam-exploration.md +++ b/content/blog/metamask-phishing-exploration.md @@ -1,5 +1,5 @@ +++ -title = 'Exploration of a Random MetaMask Scam' +title = 'Exploration of a Random MetaMask Phishing Campaign' date = 2024-10-27T21:04:50+02:00 author = '' draft = false @@ -7,10 +7,10 @@ tags = ['random'] categories = [] +++ -A few days ago, I received a pretty credible-looking MetaMask scam email stating that my account had been locked due to an attempt to connect a new device to it. Too bad I don't even own a MetaMask account, but despite that, I decided to spend a bit of time and look into how the whole scam worked, as I rarely receive any kind of spam nowadays. +A few days ago, I received a pretty credible-looking MetaMask phishing email stating that my account had been locked due to an attempt to connect a new device to it. Too bad I don't even own a MetaMask account, but despite that, I decided to spend a bit of time and look into how the whole campaign worked, as I rarely receive any kind of spam nowadays.

- Picture of the original email message + Picture of the original email message

## Email attachment @@ -42,7 +42,7 @@ function saveFile(name, type, data) { The resulting webpage would display 12/15/18/21/24 input fields for a crypto wallet seed phrases of various lengths. -The scammer was using Telegram as the backend, but didn't apparently care enough to even attempt to hide the API token and chat ID from the source with some obfuscation logic. Additionally it's also clear that the data was being exfiltrated into a private chat based on the chat ID format (private chats don't have a dash prefix, whereas supergroups and channels have a `-100` prefix). +The campaign operator was using Telegram as the backend, but didn't apparently care enough to even attempt to hide the API token and chat ID from the source with some obfuscation logic. Additionally it's also clear that the data was being exfiltrated into a private chat based on the chat ID format (private chats don't have a dash prefix, whereas supergroups and channels have a `-100` prefix). ```javascript // Add your telegram token,chatid @@ -50,7 +50,7 @@ const token = "7686154983:AAFtpdY6iTjT7UiTK6cXh0fM2T4CKfjRHl0" const chatId = "7839331161" ``` -Before sending the collected information to the Telegram chat, the JavaScript code would also make a quick `GET` request to `ipinfo.io` to get the victim's public IP and related location data. This information would probably be used to pick a proxy for the wallet draining stage of this scam without raising any unwanted suspicions on MetaMask's end. +Before sending the collected information to the Telegram chat, the JavaScript code would also make a quick `GET` request to `ipinfo.io` to get the victim's public IP and related location data. This information would probably be used to pick a proxy for the wallet draining stage. ```javascript wordForm1.addEventListener("submit", (e) => { @@ -161,4 +161,4 @@ while True: sleep(random.randint(1, 10)) ``` -In the end I was able to send roughly 10k messages before the scammer revoked the API token. I hope he'll have a fun time trying to sort out the legitimate responses from the ones I sent. +In the end I was able to send roughly 10k messages before the person behind the campaign revoked the API token. I hope he'll have a fun time trying to sort out the legitimate responses from the ones I sent. diff --git a/static/images/metamask-scam-exploration/email.png b/static/images/metamask-phishing-exploration/email.png similarity index 100% rename from static/images/metamask-scam-exploration/email.png rename to static/images/metamask-phishing-exploration/email.png diff --git a/static/images/metamask-scam-exploration/tg-bot.png b/static/images/metamask-phishing-exploration/tg-bot.png similarity index 100% rename from static/images/metamask-scam-exploration/tg-bot.png rename to static/images/metamask-phishing-exploration/tg-bot.png