$650K MetaMask & iCloud Hack, Here's How to Stay Safe
Over the weekend, a new MetaMask and iCloud phishing scam cost one web3 user over $650,000 when he accidentally reset his Apple ID password for the hacker. But how did the scammer gain access to this victim's MetaMask with just his Apple ID and iCloud password?
Here's how the new phishing attack works and how to stay safe.
New MetaMask & iCloud Phishing Scam
MetaMask saves your seed phrase file on iCloud via its mobile application if you have enabled iCloud backup for app data, which is default and commonplace for iPhone users. If a hacker gains access to your iCloud account, they have access to your password-encrypted MetaMask vault, which gives them access to your seed phrase.
Once a hacker has access to your seed phrase, it's game over. They can access your MetaMask crypto wallet and drain your entire account in minutes.
In this specific case, the scammer sent multiple Apple ID password reset requests to the victim's iCloud account. This was intended to make it look like a suspicious hacking attempt was currently taking place.
Then, the scammer called the victim from a phone number with Apple Inc. as the caller ID. They claimed to be Apple support and requested to reset the victim's Apple ID password. The scammer sent a code to the victim, who then gave the code to the scammer, and that's all it took.
The scammer hung up the phone, used the code to reset the victim's Apple ID password, logged into the victim's iCloud account, found the victim's seed phrase, and drained the victim's account of over $650,000 in cryptocurrencies.
π¨ NEW PHISHING SCAM π¨
— Serpent (@Serpent) April 17, 2022
Already $650,000 stolen from a single individual and it's going to happen to a lot more people.
This is how it happened π§΅π
How to Stay Safe From This MetaMask & iCloud Hack
There are a few best practices to stay safe from phishing scams like the one mentioned above:
- Use a cold wallet to store your cryptocurrencies. The two most popular hardware wallets, also called offline wallets, are Ledger and Trezor.
- Always protect your personal data and never give access codes to anyone. Scams and hacks are getting more elaborate, and it is sometimes difficult to tell what is real and fake. Err on the side of caution.
- Never tell anyone your seed phrase. Always keep it offline.
To combat this specific phishing scam, MetaMask suggests disabling iCloud backup for MetaMask's application. To do this, go into your iPhone's settings, then go to Profile --> iCloud --> Manage Storage --> Backups. Turn off the toggle.
You can also turn off iCloud backup by going into your iPhone's settings and choosing Apple ID/iCloud --> iCloud --> iCloud Backup. Turn off the toggle.
Stay safe out there.
π If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on π) 1/3
— MetaMask π¦π (@MetaMask) April 17, 2022