Recently we have observed a phishing attempt against users of the Crypto wallet Metamask.
This is an example of the SMS received by users who were targeted by the attack:
Human psychology is such that a significant number of users receveing this SMS is likely to click on it and mistake the phishing scam website for the real website.
Statistically, the attacker know that a percentage of users will fall for this trap. But what about technology? Can security software prevent this type of attack?
We have tested this case on a number of cyber security tools to see what would happen.
The first test on the metamask[-]mobile[.]io URL has been performed at 1:50pm HKT 24 Feb 2022, around the time the attack actually took place.
At the time of the attack, this phishing websites was not listed as malicious by security software databases and intelligence sites:
Live case study: the hacker can update its attack strategy much FASTER than any cyber security software can update their blacklists
A few days later, a new attack has been sent, with a new URL: verified[-]metamask[.]o. We have performed the same test within a few hours since the attack was launched, only to find the security risk was not only persisting, but had actually increased. With the new link, NONE of the tested software and blacklist based filter systems was able to detect the website as malicious, as shown in the screenshots below. These screenshots are all dated March 2, 2022.
Why traditional cyber security fails at preventing this attack?
According to our test, a significant part (4 out of 6) cyber security tool are unable to stop this type of attack. The reason for this is actually quite simple and straightforward.
Most traditional cyber security software works according to the blacklisting principle: the software blocks attempts to connect to IPs that are included in the software blacklist. This implies that, if the software has not added a certain IP to their blacklist, the communication will not be stopped.
Whitelisting however works on a very different basis: if the user does not known a certain website and has not authorized it among its whitelisted websites, the action will be stopped - or a warning will have been showed to the user. For a Metamask user, the real Metamask website will have been in their whitelist so, even if they clicked on the malicious link, they will have been warned that this was an unsafe website.
How it works video?