- Ethereum-based wallet MetaMask has alerted its users of a phishing scheme being conducted using backup app data.
- Crypto users have been warned once again not to share their credentials, verification codes, and other personal information.
Crypto wallet provider Metamask has warned the crypto community of phishing attacks that are being conducted on Apple devices. For an iPhone, Mac or iPad user, default settings see app data backed up on iCloud. This is what the attackers have been relying on.
For MetaMask specifically, automatic backup sends the user’s seed phrase or “password-encrypted MetaMask vault” to the iCloud. With phished iCloud credentials, an attacker can see this vault and attempt to access it using multiple passwords. If the passphrase “isn’t strong enough,” a user runs the risk of losing whatever digital assets they have on MetaMask.
MetaMask wallet security vulnerability for Apple users
Of note, the ConsenSys-owned wallet provider shared the security issue after a recent case of theft. Three days ago, the NFT collector and Twitter user “revive_dom” tweeted that their entire wallet was wiped off. In it was $650,000 worth of cryptocurrencies and NFTs. Twitter user “Serpent,” who is also the DAPE NFT project founder, also helped gain MetaMask’s attention by sharing the story in detail with his 277,0000 followers.
According to “Serpent,” the victim received multiple messages asking him to reset his Apple ID password. He also got a call (which he later came to learn was spoofed) from Apple. Unsuspectingly, the victim proceeded to hand over a six-digit verification code to prove their ownership of the Apple account. The scammers then hung up and went on to access his MetaMask account using iCloud-backed data.
MetaMask has now asked its users (21M+ monthly users) to disable their iCloud backups for the digital wallet. The “Serpent” once again reiterated to the crypto community what has now become a sing-song but is still widely ignored:
“Never give out verification codes to ANYONE” and “Companies like Apple will never call you.”
Additionally, he urged digital asset owners to “ALWAYS” store their valuables in cold wallets. Supporters of this argument say users should only apply a hot wallet after a great deal of diligence.
Who’s to blame: The user, the wallet, or Apple?
But even then, recent events have shown that even hardware wallets have some level of vulnerability. The wallet providers Trezor and Ledger had a phishing attempt and massive data breach, respectively.
Meanwhile, a frustrated “revice_dom” blames both the Ethereum-based wallet and Apple for not informing users of the automatic backup:
I’m not saying they shouldn’t do it but they should tell us. Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90% of the people knew this I would bet none of them would have the app or iCloud on.