Mike Peterson
Crypto wallet MetaMask is warning Apple iCloud users of a new phishing attack that could lead to stolen non-fungible tokens or cryptocurrencies.
The blockchain company noted that iCloud backups for app data will include a user's password-encrypted MetaMask vault. If the password isn't strong enough, the vault could be stolen and compromised during another type of attack.
Apparently, that isn't just a theoretical risk. On April 14, MetaMask user Domenic Iacovone took to Twitter to claim that his crypto wallet was completely stolen. Some of the digital assets that were lost included a number of non-fungible tokens (NFTs) and about $100,000 in Apecoin.
Iacovone said the saga started when he received a call on his iPhone that read as an Apple number on caller ID. When he called the number back, the scammers asked for a code that was sent to his device. A few seconds later, his wallet was wiped.
Hey y'all, let's see how amazing this community can be. My entire wallet was just stolen. Totally wiped out,
— Domenic Iacovone (@revive_dom) April 14, 2022
MAYC 28478, MAYC 8952, MAYC 7536
Gutter cat 2280 , 2769, 2325
Also stole 100k in ape coin.
Looking for all the help I can get.
100kreward @BoredApeYC @GutterCatGang
In other words, the attackers broke into Iacovone's iCloud account and called him to phish for the two-factor authentication code. When he provided it, they were able to compromise his MetaMask vault and steal his assets.
MetaMask, for its part, says that users disable iCloud backup for MetaMask specifically in the Manage Storage section of a user's iCloud settings.
Users can also protect themselves from phishing attacks by avoiding giving out any sensitive information to callers. Spoofing an official number or caller ID tag is a common tactic among scammers. Additionally, Apple will never ask for a two-factor authentication code over the phone.
Instead of calling back a number directly, users should find the official customer support line from a company's website and call that number to verify.
This is far from the first time that NFTs or cryptocurrencies have been stolen in a phishing attack. Back in February, nearly $1.7 million worth of digital assets were stolen in an attack on OpenSea users.
Charles Martin
Amber Neely
Sponsored Content
AppleInsider Staff
Malcolm Owen
Oliver Haslam
6 Comments
The article says that they broke in to his iCloud and then got him to divulge the 2fa.
I hope the author of the article is just smoking a little crack today, and that it’s just a word sequence problem, because the statement is extremely misleading. A tech writer on AppleInsider surely knows that there was no break-in, which is why they needed the 2fa, because they just initiated an iForgot on his Apple ID, and then called him.
At no time was iCloud broken into, or hacked, or compromised itself. They tricked the guy into giving them
access to his account.
He didn’t really lose anything. It was all non-real assets that will be worth nothing in the end anyway.
So yet another dumbass falls for social engineering. How may times do people need to be told companies like Apple simply do not make calls like this asking for credentials? Now let’s see if he tries to sue someone (Metamask, Apple) for his stupidity. My guess is he will try.
We're starting to see an increasing correlation between people who get into crypto and people who believe anything they're told. Hmm.