Azoundria: 30 minutes. This is a duplicate of the case we already have, and will be merged. Integrated significant information from the BleepingComputer article. Integrating information on warning tweet from MetaMask. Integrated tweets from victim dcon18. Found more links as sources. Added information from article update and tweet from Sean Roesner.

2024-04-22T18:01:31Z

30 minutes. This is a duplicate of the case we already have, and will be merged. Integrated significant information from the BleepingComputer article. Integrating information on warning tweet from MetaMask. Integrated tweets from victim dcon18. Found more links as sources. Added information from article update and tweet from Sean Roesner.

Show changes

Azoundria: Created page with "{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/metamaskphishinginstallmetamaskcom.php}} {{Unattributed Sources}} Install MetaMask WebsiteUsers may go to install MetaMask by searching Google and clicking on the top result - a sponsored link which claims to be the MetaMask website. After installing the MetaMask extension and setting up a wallet, any funds sent there would be drained. If they choose to restore..."

2023-07-25T15:18:31Z

Created page with "{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/metamaskphishinginstallmetamaskcom.php}} {{Unattributed Sources}} thumb|Install MetaMask WebsiteUsers may go to install MetaMask by searching Google and clicking on the top result - a sponsored link which claims to be the MetaMask website. After installing the MetaMask extension and setting up a wallet, any funds sent there would be drained. If they choose to restore..."

New page

{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/metamaskphishinginstallmetamaskcom.php}}
{{Unattributed Sources}}

[[File:Installmetamask.jpg|thumb|Install MetaMask Website]]Users may go to install MetaMask by searching Google and clicking on the top result - a sponsored link which claims to be the MetaMask website. After installing the MetaMask extension and setting up a wallet, any funds sent there would be drained. If they choose to restore an existing wallet, all their current funds would also be drained. This is because they installed malware instead of the actual MetaMask extension.

This is a global/international case not involving a specific country.<ref name="newsdotbitcoin-11402" /><ref name="cryptophishingtwitter-11403" /><ref name="diegomazorotwitter-11404" /><ref name="johnnyehltwitter-11405" /><ref name="poloskucingtwitter-11406" /><ref name="davejevanstwitter-11407" />

== About MetaMask ==
"A crypto wallet & gateway to blockchain apps" "Start exploring blockchain application in seconds. Trusted by over 1 million users worldwide."

"[A] fraudulent extension redirects victims to installmetamask.com, which is not an official site of Metamask. Per Whois information, the web domain was registered on November 29, 2020. Ciphertrace found out the first mention in Twitter of the fraudulent domain from a user who asked Metamask team about the site’s authenticity"

"According to an alert published by Ciphertrace, since December 2, 2020, they have been noticing “an uptick of alerts and comments” about crypto funds stolen via a Chrome browser extension posing as the ethereum (ETH)-based wallet Metamask."

"U.S.-based Ciphertrace posted an update on December 3, 2020, detailing that phisher behind Metamask’s fake extension keeps buying sponsored ads on Google, which appear when people search for “metamask” term."

"@Google is allowing a phisher to buy sponsored ads on their search results. When using crypto, try to use direct links, and if you need to use search, watch out for sponsored links."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.

Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - MetaMask Phishing InstallMetaMask.com
!Date
!Event
!Description
|-
|December 6th, 2020 10:19:00 AM MST
|Site Removed
|The site is blacklisted.
|}

== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

== Total Amount Lost ==
The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== General Prevention Policies ==
Never install a wallet through sponsored ads.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="newsdotbitcoin-11402">[https://news.bitcoin.com/fraudulent-crypto-browser-extension-redirects-to-a-fake-metamask-domain/ Fraudulent Crypto Browser Extension Redirects to a Fake Metamask Domain – News Bitcoin News] (Oct 10, 2022)</ref>

<ref name="cryptophishingtwitter-11403">[https://twitter.com/CryptoPhishing/status/1335634882039586829 @CryptoPhishing Twitter] (Jul 24, 2023)</ref>

<ref name="diegomazorotwitter-11404">[https://twitter.com/diegomazoro/status/1332798029301215232 @diegomazoro Twitter] (Jul 24, 2023)</ref>

<ref name="johnnyehltwitter-11405">[https://twitter.com/johnnyehl/status/1333861716598329355 @johnnyehl Twitter] (Jul 24, 2023)</ref>

<ref name="poloskucingtwitter-11406">[https://twitter.com/polos_kucing/status/1335805555630366725 @polos_kucing Twitter] (Jul 24, 2023)</ref>

<ref name="davejevanstwitter-11407">[https://twitter.com/davejevans/status/1334263010089598977 @davejevans Twitter] (Jul 24, 2023)</ref></references>

MetaMask Phishing InstallMetaMask.com - Revision history