Well-known Ethereum-based crypto wallet provider MetaMask has issued a warning to the crypto community to beware of the ongoing Apple iCloud phishing attacks.
The security issue affects iPhone, Mac, and iPad users since default device settings store a user’s seed phrase or “password-encrypted MetaMask vault” on the iCloud if the user has allowed automatic backups for their app data.
A detailed Twitter thread by MetaMask
Users potentially lose their assets if their Apple password “isn’t strong enough” and an attacker is able to spoof their account details, according to a Twitter thread posted on Monday by MetaMask.
As mentioned by the company, users can fix the problem by turning off their automatic iCloud backups.
🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3
— MetaMask 🦊💙 (@MetaMask) April 17, 2022
The MetaMask warning came in response to reports from an NFT collector known on Twitter as “revive dom,” who reported on Friday that this precise security problem destroyed their whole wallet containing $650,000 worth of digital assets and NFTs.
DAPE NFT project founder “Serpent” — who also helped capture the attention of MetaMask by sharing the news with their 277,000 followers — presented a complete rundown of what happened to the victim in a different thread earlier in the morning.
The target received repeated text messages urging him to reset his Apple ID password, as well as a fake call from Apple that was ultimately a spoofed caller ID, according to them.
“revive dom” gave over a six-digit verification number to establish that they were the owner of the Apple account, despite the fact that they were apparently unaware of the caller. The fraudsters then hung up and used data from his iCloud account to gain access to his MetaMask account. Here are some of the takeaways:
- Always use a cold wallet to store your holdings
- Never give out verification codes to anyone
- Secure your information, don’t give out any sensitive information.
- Caller information is easy to spoof but companies will never call you.
Recently as we reported, MetaMask integrated new crypto custodians, expanding institutional offering.