Cyber threat analysis firm Check point Research (CPR) has issued an alert regarding a recent phishing campaign mainly targeting Phantom and Metamask users. The threat makes use of Google Ads to bump fake websites in search results, meant to prompt users to provide their keys or make new wallets on behalf of bad actors. It's currently estimated that half a million dollars have been diverted from their legitimate users' wallets. Due to the nature of the attack being carried out during the (supposed) wallet creation process, new entrants to the crypto space are likely to be the most heavily affected.
As with all high-coverage threats to cybersecurity, bad actors focus their efforts on platforms that are most popular - as the number of potential victims increases, so does the potential return. Metamask and its 10.35 million peak users (as of August 2021) represents a sizable target for this phishing effort; the same is true for Phantom, which has already registered a million users since its introduction. The method seems to rely on the fact that these platforms make use of browser plugins as a facilitator. But beware: other DeFi apps like Sushiswap and Cakeswap are also popular victims of this sort of malicious behavior for similar reasons.
After erroneously clicking the top search result, users are then sent to a phishing website, which hides in plain sight by introducing a very minute change (such as phantonn instead of phantom) to the actual platform's web address. Users are then guided through a fake wallet creation process - which in reality, is just providing users with access to the attacker's wallet. After the "wallet setup" process has been completed, the phishing attack then redirects users towards the real website, where they're prompted to install the wallet extension. After introducing the pass phrase for the "generated" wallet address, users are actually connected to the bad actor's wallet. Any funds they transfer towards it can immediately be moved to another wallet that remains under the bad actor's control.
While the Phantom phishing scheme is focused on new wallet creations, the Metamask phishing attack is different, in that it can actually steal the users' private key. Not only is the fake wallet generation possible, but victims are also prompted to import their existing Metamask wallet - which will immediately give access to all of their existing funds.
More creative ways of stealing crypto funds have come and gone; however, and when it comes to this particular scam, an attentive user can look out for and easily skirt these attempts. Remember to always double-check the url you're clicking, and avoid landing in any crypto or banking-related page through an ad link. The browser URL is your best-friend here: it's good policy to keep an eye on it in any potentially sensitive scenarios. CPR published a YouTube video showcasing the phishing method; catch it below.