Crypto wallet warns of iCloud phishing attack that led to $650K in stolen assets
Crypto wallet MetaMask is warning Apple iCloud users of a new phishing attack that could lead to stolen non-fungible tokens or cryptocurrencies.
The blockchain company noted that iCloud backups for app data will include a user's password-encrypted MetaMask vault. If the password isn't strong enough, the vault could be stolen and compromised during another type of attack.
Apparently, that isn't just a theoretical risk. On April 14, MetaMask user Domenic Iacovone took to Twitter to claim that his crypto wallet was completely stolen. Some of the digital assets that were lost included a number of non-fungible tokens (NFTs) and about $100,000 in Apecoin.
Iacovone said the saga started when he received a call on his iPhone that read as an Apple number on caller ID. When he called the number back, the scammers asked for a code that was sent to his device. A few seconds later, his wallet was wiped.
Hey y'all, let's see how amazing this community can be. My entire wallet was just stolen. Totally wiped out,— Domenic Iacovone (@revive_dom) April 14, 2022
MAYC 28478, MAYC 8952, MAYC 7536
Gutter cat 2280 , 2769, 2325
Also stole 100k in ape coin.
Looking for all the help I can get.
100kreward @BoredApeYC @GutterCatGang
In other words, the attackers broke into Iacovone's iCloud account and called him to phish for the two-factor authentication code. When he provided it, they were able to compromise his MetaMask vault and steal his assets.
MetaMask, for its part, says that users disable iCloud backup for MetaMask specifically in the Manage Storage section of a user's iCloud settings.
Users can also protect themselves from phishing attacks by avoiding giving out any sensitive information to callers. Spoofing an official number or caller ID tag is a common tactic among scammers. Additionally, Apple will never ask for a two-factor authentication code over the phone.
Instead of calling back a number directly, users should find the official customer support line from a company's website and call that number to verify.
This is far from the first time that NFTs or cryptocurrencies have been stolen in a phishing attack. Back in February, nearly $1.7 million worth of digital assets were stolen in an attack on OpenSea users.