CPR alerts crypto wallet users of massive search engine phishing campaign that has resulted in at least half a million dollars being stolen

November 4, 2021

By Dikla Barda, Roman Zaikin and Oded Vanunu

Highlights:

  • Check Point Research (CPR) spots multiple events in which crypto wallet users have gotten their funds stolen, resulting in over hundreds of thousands of dollars lost in the past few days
  • Scam campaign triggered by search engine ads targeting crypto wallet users
  • The campaign uses fake URLs in search engine ads to lure victims, enabling scammers steal wallet passwords to steal funds within the wallets
  • Crypto wallet users are advised to refrain from clicking on ads and only use direct, known URLs

In recent weeks, there have been multiple reports about scams in the crypto world, casting focus on how investors need to be cautious to avoid falling victim to attacks that can result in their funds being stolen.
Over the past weekend, Check Point Research (CPR) encountered hundreds of incidents in which crypto investors lost their money while trying to download and install well known crypto wallets or change their currencies on crypto swap platforms like PancakeSwap or Uniswap.
On various online platforms like Reddit and Twitter, users complained about getting hacked by clicking on links which was a phishing wallet website.

The Phantom and MetaMask wallets are the most popular wallets for the Solana and Ethereum ecosystems, offering investors a simple and secure way of interacting with multiple blockchain networks in the ecosystems.
The wallets come with an easily accessible extension that allows users to send and receive cryptocurrencies and tokens, collect NFTs, and even swap tokens within the wallets. Already, Phantom has raised millions from renowned ventures and has over a million users. And MetaMask, according to business insiders, had 545,000 monthly active users in July 2020, but that peaked up to 10.35 million by August 2021. The popularity of these wallets make them a great target for scammers.

Over the past weekend, researchers from CPR spotted multiple phishing websites that looked like the original website, because the scammers copied its design. For the domain “phantom.app”, the Phantom wallet’s official site, we encountered phishing variants like phanton.app or phantonn.app, or even different extensions like “.pw” and more.
What makes this phishing campaign unique is the fact that the scammers are not sending phishing links via email like ‘traditional’ phishing scams. Instead, they are using Google ad campaigns to make their phishing websites appear before the original site when anyone searches the keyword Phantom.

By clicking on the ad, the victim is redirected to a phishing website, which looks very similar to the official Phantom wallet site:

When the user clicks on the “Create New Wallet” button, the phishing website generates the following message about a secret recovery phrase:

While the user thinks this is the phrase for their new wallet, it is actually the secret recovery phrase for the attacker’s wallet.
As the next step, the attacker also steals the user’s password:

When the user clicks on the “save and continue” button, this is what they see:

The user is then redirected to the original Phantom website:

Now if the user adds the chrome wallet tab to their browser and inserts the newly created recovery phrase from the attacker, they actually log in to the attacker’s wallet instead of creating a new one. This means if they transfer any funds, the attacker will get that immediately.
The following screenshot shows that there is a transfer every few hours:

The scammers have even created multiple wallets under the same account:

In every wallet, attackers stole thousands of dollars:

This attack has also been happening with the MetaMask wallet, but in this case, the attacker also tries to steal the user’s private key to steal their wallet if they have one, or give them a phrase that enables them to steal the funds upon transfer.
The attack again starts with a Google ad campaign:

As with Phantom there is a fake MetaMask site that looks very similar to the official website. When creating a wallet, the user can actually import their wallet, and by doing that, the scammers will get their private key and steal all their cryptocurrency.

If the user creates a new wallet, the scammer will give the user the phrase known to them:

The same method is used as with the Phantom wallet.
Scammers choose to imitate the crypto swap platforms because of their popularity, where there are more than 5 million active users a month. According to PancakeSwap and Uniswap:

There are also multiple hacker groups that compete with each other on the phishing campaign at google ads:

Because users are not creating a new wallet on these platforms and only have to connect their wallet, the attackers use a fake MetMask wallet that they created to steal funds.
The wallet looks like the original MetaMask and even uses MetaMask CSS and HTML files to fool users:

Note that the original MetaMask is an extension and not a chrome tab like in that screenshot, and looks like this without a browser title and URL:

Here’s a video showing the process:

Crypto users need to stay alert:

We understand that it is very confusing for a crypto novice and often they fall into such scams because they are not familiar with the applications they are installing. But such users must keep in mind some important rules:

1. Only the extension should create the passphrase. To understand if this is an extension or a website, always look at the browser URL.

2. The extension will contain an extension icon near it and a chrome-extension URL:

3. Users should never give out their passphrase. No one would ever ask for that. and it is used again only when the user is installing a new wallet

4. When looking for wallets or crypt trading and swapping platforms in the crypto space, always look at the first website in your search that is not an ad, as thes ads may mislead you to get scammed by the attackers.

5. Last but not least – always double-check the URLs!