Another malicious browser extension is advertised on Google search

[MusaMohamed]

In crypto, phishing attempts are around us every day and Google has very bad reputation on the way they sell their advertisements and search engine for projects. They don't do investigation or do it very bad and no matter how they do that, at the ends they allow many scam projects, phishing sites appear on the top of Google search results.

The latest attack on Metamask with malicious phishing web browser is one of that. This one can cause serious losses for crypto investors especially in the days people are still being crazy with DeFi tokens. Metamask is one of most common gates to join DeFi space.

When I am writing this topic, Google still has not shut it down. You can check and see that malicious extension at the top of search result at the Ad area.

The official site of MetaMask is: https://metamask.io/

ALERT: Malicious Crypto Browser Extension—Masked MetaMask
https://twitter.com/ciphertrace/status/1334857643337379841

The article from Cypher Trace gave some warning and details

UPDATE: 12/03/2020
The MetaMask phisher continues to buy sponsored ads on MetaMask search results. The company urges users to “use direct links, and if you need to use search, watch out for sponsored links!”

Sponsored ads for the fraudulent maskmeha[.]io seem to have been displaced by meramaks[.]io

12/02/2020

Within the past 24 hours, CipherTrace has noticed an uptick of alerts and comments within the online cryptocurrency community of users’ funds being stolen via a Chrome browser extension phishing attack posing as cryptocurrency wallet and browser extension MetaMask. The fraudulent browser extension is directing information to maskmeha[.]io, which then subsequently redirects to https[:]//installmetamask[.]com.

Whois Information for https[:]//installmetamask[.]com

First Seen Date: 11/26/20

Thumbprint: a7f5485707f9ff4dbb3bc75bf78e6029ea5add58

IPs:

172[.]67[.]203[.]220
104[.]27[.]160[.]92

104[.]27[.]161[.]92

Registrar:

Date: 11/29/20

Name: NameCheap, Inc.

VirusTotal currently has this domain flagged with a 0 score and its creation day at 7 days ago. Inspecting this domain further, we found that the domain had been mentioned in a Tweet on November 28, 2020 by Twitter user @dmazorosete who sought a response from MetaMask regarding the potentially fraudulent site.

$WHALE Community on Medium published a post ~18 hours ago instructing users to send $WHALE funds to MetaMask and referenced the https[:]//installmetamask[.]com domain as the MetaMask wallet download page.

The page for the phishing site mirrors the actual MetaMask site quite well, as seen below.

[Paycoinzzz]

Yes, I have seen this news since last night and I thought this was just a mistake by part of Google and they will terminate these advertising contracts soon. But it is unexpected that now when searching Metamask, in the first section, there is still another scam site called Maskmefa.io
During this period of time, when Google has not yet spoken up about this incident, we should be very careful in searching on Google. Or we can use another browser like Brave, Opera or Firefox to keep our assets and information safe.

[Maxstl007]

While using Google search engine we need to be careful with any search results that starts with Ad- it means that it's an ad link which might be fake, malicious or real, I don't want to give a try to find out because scammers are capable of anything today

[Rowenta]

My avast antivirus warns me about unsafe links when browsing the net, I'm surprised it even knew that the maskmefa.io is fake, it avoid the link and mark only metamask.io which is original link  




We should learn to avoid ad links because they aren't official link to a website or items

[MusaMohamed]

Yes, I have seen this news since last night and I thought this was just a mistake by part of Google and they will terminate these advertising contracts soon. But it is unexpected that now when searching Metamask, in the first section, there is still another scam site called Maskmefa.io
During this period of time, when Google has not yet spoken up about this incident, we should be very careful in searching on Google. Or we can use another browser like Brave, Opera or Firefox to keep our assets and information safe.

There are many search engines: Google, DuckDuckGo (with Tor browser), Bing, etc. and you don't must bind yourself to Google if you want to search for something. Google own a big search engine but they are greed and want use it for selling their Ads (just to get money). They don't care of their users (safety, security, and financial issues).

With some crypto sites (exchanges, wallets, marketcaps) you can be safer if you remember their domain names. If you have bad memory, please save their domain names to your sheet or bookmark them on the browser you are using every day.

We should learn to avoid ad links because they aren't official link to a website or items

Save domain names and only visit to official sites to get wallets, extensions, upgrades. Don't search if you need upgrades.

While using Google search engine we need to be careful with any search results that starts with Ad- it means that it's an ad link which might be fake, malicious or real, I don't want to give a try to find out because scammers are capable of anything today

It is quite a big surprise to see this problem has never been taken into serious consideration by Google. It is their platform, their engine and you can set up a strong filter to prevent those malicious ads.

[Phoenix_PROG]

I don't click on anything ads through Google search and I suggest people should do the same, we are now in a time where phishing softwares and scam tools can be advertised through Google and Google team don't have time to do analysis on the ads, their own is getting paid for the ads, no screening or any research, honestly google team are getting lazy this days

[Psynthax]

Maybe we really need browser that focuses on security and disregard any of these unnecessary extension? In the past there's an extension that automatically swap our crypto address everytime we pastes our address into address input in an online wallet and now it's phishing site.

It seems our browser just aren't safe anymore although only some people gonna make mistake installing everything that's on internet.

[Cameron1Love]

I don't really understand why they can approve that kind of scam. I guess google also don't know that thing and some of hackers can make some advertisement that google didn't know that is a scam. So if google really don't know this how we avoid if we are on the bait of scammers. Its really creepy once the newbies clicked that or joined.

[masterrex]

In crypto, phishing attempts are around us every day and Google has very bad reputation on the way they sell their advertisements and search engine for projects. They don't do investigation or do it very bad and no matter how they do that, at the ends they allow many scam projects, phishing sites appear on the top of Google search results.

The latest attack on Metamask with malicious phishing web browser is one of that. This one can cause serious losses for crypto investors especially in the days people are still being crazy with DeFi tokens. Metamask is one of most common gates to join DeFi space.

When I am writing this topic, Google still has not shut it down. You can check and see that malicious extension at the top of search result at the Ad area.

The official site of MetaMask is: https://metamask.io/

ALERT: Malicious Crypto Browser Extension—Masked MetaMask
https://twitter.com/ciphertrace/status/1334857643337379841

The article from Cypher Trace gave some warning and details

UPDATE: 12/03/2020
The MetaMask phisher continues to buy sponsored ads on MetaMask search results. The company urges users to “use direct links, and if you need to use search, watch out for sponsored links!”

Sponsored ads for the fraudulent maskmeha[.]io seem to have been displaced by meramaks[.]io

12/02/2020

Within the past 24 hours, CipherTrace has noticed an uptick of alerts and comments within the online cryptocurrency community of users’ funds being stolen via a Chrome browser extension phishing attack posing as cryptocurrency wallet and browser extension MetaMask. The fraudulent browser extension is directing information to maskmeha[.]io, which then subsequently redirects to https[:]//installmetamask[.]com.

Whois Information for https[:]//installmetamask[.]com

First Seen Date: 11/26/20

Thumbprint: a7f5485707f9ff4dbb3bc75bf78e6029ea5add58

IPs:

172[.]67[.]203[.]220
104[.]27[.]160[.]92

104[.]27[.]161[.]92

Registrar:

Date: 11/29/20

Name: NameCheap, Inc.

VirusTotal currently has this domain flagged with a 0 score and its creation day at 7 days ago. Inspecting this domain further, we found that the domain had been mentioned in a Tweet on November 28, 2020 by Twitter user @dmazorosete who sought a response from MetaMask regarding the potentially fraudulent site.

$WHALE Community on Medium published a post ~18 hours ago instructing users to send $WHALE funds to MetaMask and referenced the https[:]//installmetamask[.]com domain as the MetaMask wallet download page.

The page for the phishing site mirrors the actual MetaMask site quite well, as seen below.

Is Google check the content of its advertisers? If yes then why this kind of problem still persists? All users much take extra precaution when visiting google, Because they don't check its advertisers if it's legit or scam that's why I never use google for a long time already, Because of these problems it's all about money and greed and they don't care its users, for the best interest use Brave instead it's safer compared to Google.

[bittreo]

This is really sad. Newbies can be easily trapped. That's why I prefer bookmarking all important wallet's websites along with exchange sites and open them only via bookmark bar. I have also started accessing my local banks' websites via bookmark tabs only.

[InwardContour]

Scammers keep cloning metamask and other crypto websites, and even creating fake apps for crypto projects. This is the more reason why I bookmark official websites that I use often, I don't click random links. It's very important to be keen and crosscheck thoroughly any website or app we download, to avoid hack. The fakes like meramask.io can be spotted easily if you check properly before clicking, however sometimes scammers play on our intelligence by replacing capital i (I) with small L (l), in this case both look similar but different when applied to  domain names. OP thanks for pointing this out, at least it will create more awareness for safety.

[gwdf1]

Google would really do well to check phishing links. Although can other browsers 100% protect against phishing? Plus the coronavirus pandemic has increased opportunities for online fraud.