Metamask warns against new scam “Address Poisoning”
Warning about “Address Poisoning”
Metamask, a major wallet for crypto assets (virtual currency), warned users on the 12th that a new scam called “address poisoning” had occurred.
A new scam called ‘Address Poisoning' is on the rise. Here's how it works: after you send a normal transaction, the scammer sends a $0 token txn, ‘poisoning' the txn history. (1/3)
— MetaMask Support (@MetaMaskSupport) January 11, 2023
Here's how it works.
First, criminals track transactions of target users through “address poisoning” and create fraudulent wallet addresses with strings similar to recipient addresses recorded in the transaction history.
Criminals then transfer a tiny amount of tokens from the fraudulent address to the target's wallet. This transaction will then be recorded in the target user's transaction history.
Unauthorized exploitation is established when a user misidentifies a fraudulent “fake address” recorded in the wallet transaction history as a “real address” and copies and pastes the “fake address” to remit.
Relation: What is “MetaMask” | Virtual currency wallet used by over 20 million people per month
What is Metamask
Ethereum (ETH) cryptocurrency wallet. We provide services with mobile apps and web browser extensions, and you can manage and send and receive virtual currency. It is also a standard wallet used in DeFi (decentralized finance) and dApps (decentralized applications) such as games.
Aim for copy and paste functionality
In order to increase convenience, Metamask allows you to copy and paste the wallet address of the transaction history with one click, which is why many users use it.
Many Web3 applications are preparing such a function because the copy and paste function can prevent typos and send money, but this “address poisoning” is a form of abuse of this specification.
Criminal-generated “fake wallet addresses” often resemble the real address by the first and last “few characters”.
Wallet addresses for crypto assets (virtual currencies) such as Ethereum are very long, so when copying and pasting, users often check “only the first and last few characters” to determine if they are correct. It can be said that it is a trick.
How to avoid being victimized
MetaMask's warning announcement also provides advice on how to avoid falling victim to such “address poisoning.”
First, he recommended avoiding copying addresses from transaction history, and when copying and pasting, he recommended checking for differences in the entire address, not just the beginning and end. It's difficult to see it visually, so there seems to be a way to check if the copied wallet address is an “exact match” by searching on the page with “Command + F”.
At that time, it is safer to check not only the transaction history in the cryptocurrency wallet such as Metamask, but also the history displayed in the transaction explorer.
He also went on to say that both the destination address and the user's own address should be verified.
In addition, registering frequently used addresses in Metamask's “address book”, making a small test remittance at first, and using a hardware wallet are listed. Regarding hardware wallets, he explained that although fraud cannot be completely prevented, it is possible to make it a habit to check the destination address.