MetaMask, a ConsenSys crypto wallet provider, has warned the community about Apple iCloud phishing attacks.
The security issue for iPhone, Mac, and iPad users is related to the default device settings, which store a user’s seed phrase or “password-encrypted MetaMask vault” in iCloud if the user has automatic backups for their app data activated.
In a Twitter thread posted on April 18, MetaMask noted that users are at risk of losing their funds if their Apple password “isn’t strong enough” and an attacker is able to phish their account credentials.
To fix the problem, users can disable automatic iCloud backups for MetaMask as follows:
If you have iCloud backup enabled for app data, this includes your password-encrypted MetaMask vault. If your password isn’t strong enough and someone phishes your iCloud credentials, it could mean stolen funds. (Read more) 1/3
— MetaMask (@MetaMask) April 17, 2022
MetaMask’s warning came in response to reports from an NFT collector known as “revive_dom” on Twitter specified on April 15 that their entire wallet of $650,000 worth of digital assets and NFTs was wiped out by this particular security issue.
In a separate thread, the founder of the DAPE NFT project “Serpent” – who also helped get MetaMask’s attention by sharing the story with her 277,000 followers – gave an overview of what happened to the victim.
They discovered that the victim had received multiple text messages asking them to reset their Apple ID password, along with an alleged call from Apple that ended up being a fake caller ID.
Claiming they were unaware, revive_dom provided a six-digit verification code to prove they were the Apple account owner. The scammers then hung up and accessed his MetaMask account via data stored in iCloud.
The central theses
– ALWAYS use a cold wallet to store your valuables
– Never give out verification codes to ANYONE
– Protect your data, do not give out your phone number or your personal email address
– Caller information is easy to fake. Companies like Apple will never call you
— snake (@snake) April 17, 2022
Related: MetaMask expands the institutional offering by integrating new crypto custodians
After MetaMask posted the warning today, “revive_dom” expressed his frustration with the company by noting that:
“I’m not saying they shouldn’t, but they should tell us. Don’t tell us never to digitally store our seed phrase and then do it behind our back. If 90% of people knew, I bet none of them would have activated the app or iCloud.”
While most community responses were supportive, others were quick to emphasize the importance of using cold storage and taking great care when storing assets in a hot wallet.
https://cointelegraph.com/news/metamask-warns-apple-users-over-icloud-phishing-attacks MetaMask warns Apple users about iCloud phishing attacks