Affected Sites
Sites we know have been affected so far include:
BTC Manager
Games Workshop
Trakt TV (unresolved at the time of this writing)
If you’re a user of any of those sites and MetaMask, and have noticed you recently lost some funds, please contact MetaMask Support immediately.
The affected sites appear to all use Cloudflare to configure their DNS settings, and this appears to be where the attacker is redirecting the sites to their own imposter sites. Since this has affected multiple sites, if you are using Cloudflare, you should be extra vigilant. Some of the sites had 2FA for all of their users, but the settings were updated by API using their global API key.
That’s right, from what we can tell, Cloudflare only has one level of API access, it is global and absolute, gives total permission over all configuration, including DNS settings, and this key is shared with every plugin you add to your Cloudflare account. That would mean installing a plugin on Cloudflare is like giving that plugin’s author permission to redirect your site to whatever they’d like.
As a security conscious team, this is terrifying, and we would advise any web masters to move off of Cloudflare until more granular API permissions are provided. At the very least, minimize the addons that you use on your site.
Source:
https://medium.com/metamask/new-phishing-strategy-becoming-common-1b1123837168
