warning about a new type of fraud, hitting the subjectivity of users through the simple operation of copying the wallet address.

Warning about scam "poisoning addresses"

On January 12, MetaMask issued a warning about a new form of asset theft called "address poisoning", which describes how scammers have taken advantage of the haste and carelessness of users. when transferring money but copying the wrong wallet address. 

Wallet addresses are long hexadecimal numbers and are difficult to remember. It is usually shortened and shows only the first and last few characters. Today's wallet providers, including MetaMask, have a "copy address" feature via a double click. And this is also the "critical weakness" targeted by the attacker.

An asset theft by "address poisoning" would go like this:

  1. User A performs normal transactions for User B, which is known to attacker C through on-chain transaction data.
  2. Attacker C then uses an address generator to generate an address that closely matches (matches the first and last characters) to user B's address.
  3. Next, attacker C will perform a $0 transaction between user A's address and his own. This leads to the name of the incident "address poisoning", because address C will now be cached by user A, creating the belief that it is address B because the terminal characters are similar.
  4. User A unconsciously, unnoticed can copy the wrong address and lead to the transfer of funds to attacker C.
Read more  These are the altcoins that whales are accumulating

This form of fraud is considered "quite harmless" compared to other traditional scams, when hackers try to attack a secure system, or cheat to get a user's private key.

MetaMask, the wallet platform that has reported address poisoning incidents, has issued a warning after more than two months a Twitter user started providing information about this new type of scam. Therefore, many people criticized MetaMask for being too late in announcing the incident. 

In the warning, MetaMask prompts the user:

“Develop the habit of thoroughly checking every character of the address before you confirm a transaction. This is the only way to be absolutely certain that you are sending to the correct address.”

In addition, some other defense methods such as not using transaction history to copy addresses, whitelisting frequently traded addresses, and using experimental transactions, especially when transferring large amount.

Wallet app MetaMask faced backlash from the community after updating its data retention policy late last year. Accordingly, ConsenSys, the unit behind MetaMask, will collect IP data and MetaMask wallet addresses of users. However, the company quickly adjusted and said it would only save the data for 7 days.