ALERT: Malicious Crypto Browser Extension—Masked MetaMask
The MetaMask phisher continues to buy sponsored ads on MetaMask search results. The company urges users to “use direct links, and if you need to use search, watch out for sponsored links!”
Sponsored ads for the fraudulent maskmeha[.]io seem to have been displaced by meramaks[.]io
Within the past 24 hours, CipherTrace has noticed an uptick of alerts and comments within the online cryptocurrencyA cryptocurrency (or crypto currency) is a digital asset des... More community of users’ funds being stolen via a Chrome browser extension phishing attack posing as cryptocurrency walletA wallet is a device (a hardware device, a program, or servi... More and browser extension MetaMask. The fraudulent browser extension is directing information to maskmeha[.]io, which then subsequently redirects to https[:]//installmetamask[.]com.
Whois Information for https[:]//installmetamask[.]com
First Seen Date: 11/26/20
Name: NameCheap, Inc.
VirusTotal currently has this domain flagged with a 0 score and its creation day at 7 days ago. Inspecting this domain further, we found that the domain had been mentioned in a Tweet on November 28, 2020 by Twitter user @dmazorosete who sought a response from MetaMask regarding the potentially fraudulent site.
$WHALE Community on Medium published a post ~18 hours ago instructing users to send $WHALE funds to MetaMask and referenced the https[:]//installmetamask[.]com domain as the MetaMask wallet download page.
The page for the phishing site mirrors the actual MetaMask site quite well, as seen below.
We have alerted and reached out to MetaMask to help take down this malicious browser extension. As always, stay vigilant.