One user revealed that he lost more than half a million dollars from his Metamask wallet after receiving Apple’s alleged password reset request.
Popular Ethereum wallet Metamask alerts its iPhone, Mac, and iPad users about potential phishing attacks using Apple’s iCloud service.
The ConsenSys-owned wallet provider posted a tweet thread on Sunday warning users that they could risk losing their funds if their Apple password is “not strong enough.”
The company explained that the window for possible attacks relies on how the encrypted passwords, called Metamask vaults, get automatically uploaded to Apple’s cloud service unless the iCloud supportive feature gets disabled.
This automatic feature could ultimately result in data theft through a phishing attack. If a user’s iCloud account gets attacked, all of their linked digital asset wallet passwords could also suffer the same consequences.
User Lost USD $650,000 from his Metamask
In the tweet thread, the company explained to users how they could disable automatic iCloud support for Metamask. To apply the configuration, they must go to “Settings> Profile> iCloud> Manage storage> Backups” on their devices.
In a phishing attack, a term that refers to the sport of fishing, attackers emulate a trusted entity, website, or application to extract passwords and extract currencies from users who enter the fake site believing that it got trusted enough to carry out financial operations there.
The warning arrived after a non-fungible token (NFT) collector revealed a loss registered at $650,000 in assets and collectibles housed in his Metamask. The user identified as “Domenic Iacovone” expressed on Twitter that he had received many text messages and an alleged call from Apple asking him to reset his Apple ID password.
The victim brought a six-digit identification code to prove ownership of the Apple account, which the malicious actors then used to enter their Metamask and extract the funds. He explained that his wallet had many NFTs from the famous Mutant Ape Yacht Club (MAYC) collection and digital asset funds.
Reasons to be Alert of Apple Imitators
The founder of Dope NFT, nicknamed “Snake” on Twitter, explained that “MetaMask saves the opening phrase file to your iCloud.” In a thread of tweets, he also unveiled some details about how the campaign carries out its activity and alerted his more than 250,000 followers.
The attackers asked, through a series of messages, for a password reset intended for the victim’s Apple ID. Right after achieving the 2FA code, they proceeded to take over the Apple ID and enter iCloud; this action granted them complete access to the victim’s MetaMask.
The victim intended to give at least a $100,000 reward for help to get his funds back. Iacovone also seemed frustrated after Metamask posted a warning; he stressed that the company should give users more details about how the app develops its functions and features.
By: Jenson Nuñez
