METAMASK PHISHER PLAYS THE VICTIM

Fake metamask landing page

A few days back i was having a fun conversation withย Milanย andย Flavioย and a phishing kit came up.ย 

hxxps://www [.] back-metamask [.] com/register-login.html

ย 

THE PHISHING KIT

MetaMask Phish Landing Page

Typical MetaMask phish kit, nothing particularly interesting about it at face value, but i couldn't help a feeling deja vu. I started snooping around. I chose import wallet. Again, nothing particular, typical seed phrase harvesting page.

MetaMask Phish Kit seed harvester page

ย 

I usedย Ian Coleman's Mnemonic Code Converter to generate a random mnemonic phrase and "imported" my wallet. To my surprise..

MetaMask Phish Kit Fake Wallet

ย 

They gave me a whole wallet with all of 0 ETH ๐Ÿคฃ. I'm still questioning this decision. From a design perspective, having a potential victim land on a page with NONE of their supposed ETH in their wallet is sure to cause them to panic.ย 

Anyways, going through all the requests i saw that they were sending the harvested seeds through to

hxxps://www [.] back-metamask [.] com/api.php

MetaMask Phish Kit POST request

ย 

I also realised that the POST wouldn't work if the referer wasn'tย 

hxxps://www [.] back-metamask [.] com/wallet.html

WIth all this info i wondered what if someone where to send a bunch of random mnemonic phrases? Even better, send LOADS of them at once... And "someone" did๐Ÿ˜…

ย 

DENIAL OF SERVICE

MetaMask Phish Kit DOS

ย 

And the site went down.

MetaMask Phish Kit down

ย 

It went down for some hours. it came back to life with a "new" script to collect the seeds. It was changed from

ย 

hxxps://www [.] back-metamask [.] com/api.php

to

ย 

hxxps://www [.] back-metamask [.] com/apis.php

A game of "slightly alter the name of the script" ensued. The phishers change the name of the script and the "someone" changes it as well. The phishing site had an average uptime of 5 minutes per hour.ย 

ย 

TALKING TO THE PHISHERS

The phishers finally gave up and put up a text as their landing page. It read

"U ARE SO BAD telegram @ethpadpresaleadmin contact me"

Of course i reached out! This is how the conversation went

MetaMask Phishers conversation

ย 

"Flap Jack" asks '..Why are u doing this?' like they are the victim ๐Ÿคฃ๐Ÿคฃ๐Ÿคฃ. Staying up all night for this paid off. Another one bites the dust!

ย 

PREVIOUS ATTACKS

I scanned the domain onย Virus Totalย andย URLScanย and you wouldn't believe it!

MetaMask Phish Kit on URLScan

ย 

This is why i felt deja vu! I'd seen this before

hxxps://restore-metamask [.] com/register-login.html

MetaMask Phish Kit on Phishfort

ย 

KEY TAKEAWAYS