MetaMask, a cryptocurrency wallet provider, is warning customers about a new scam known as ‘Address Poisoning’. This scam involves tricking users into sending money to scammers rather than to the intended recipients.
MetaMask users can send and receive cryptocurrency. It appears in their wallet transaction list. You can click on the transaction to see more information, such as the token and the amount received or sent, along with a brief form of the address for the third party.
Below are two examples of addresses that can be used in MetaMask crypto transactions.
From: 0x242...54b7 To: 0x242...54b7
Although both wallet addresses appear identical in the short form they may be totally different and confusing MetaMask users.
MetaMask transaction fraud by scammers
MetaMask’s developers have posted a warning about a scam known as “Address Poisoning” that involves poisoning the wallet’s transaction history using scammers’ addresses very similar to those of users who recently made transactions.
A threat actor watches the blockchain to see if there are any new transactions that could be used for the fraud.
Once they have selected a target address, they can use a vanity adres creator to create an identical address, or almost, to the address in question.
Noting that it can take less than a minute to create an address matching a target address’s prefix / suffix, is important. Targeting both addresses will require much longer, possibly too long, to create.
A threat actor sends the target sender a small amount cryptocurrency or a $0 transaction from the new address. This transaction will appear in the sender’s wallet history.
It looks as though it is from the same threat actor, since the address of the threat actor matches a user’s transaction history.
The attacker uses a copycat address to create multiple transactions that appear to be from the same address, but actually are using separate addresses.
In this scenario, the attacker hopes that if a user wants to send cryptocurrency to someone else they have sent, they can find the latest transaction which is in this instance from the attacker and then send the crypto to his address.
Even for small amounts of money, an attacker must still pay additional fees known as gas to complete a transaction. The transaction will be registered on the Blockchain.
The threat actors will however, invest in this scam to get a larger payment.
MetaMask warns users that there is no way to prevent malicious transactions occurring on the Blockchain.
It is important to remember that clicking on the MetaMask transaction short-form address copies it to the keyboard automatically without showing it, as illustrated in the mockup.
Instead search for valid transactions in your transaction record and then grab the complete address using a Blockchain Explorer like .
MetaMask recommends that you also use the built-in address book feature under ‘Settings-Contacts’ in order to store known valid cryptocurrency addresses for services or people you frequently send transactions.
MetaMask may be able to prevent such attacks by creating a new option which forces you to display complete Send and To addresses in your transaction history.
However, Ethereum addresses can be very long at 66 characters. This could cause problems in user interface design.