Cryptocurrency ad network Coinzilla unwittingly distributed a MetaMask phishing scam across three major sites on Friday in an apparent hack. Coinzilla told Protos they have not been made aware of anyone falling for the scam, but that “new measures” would be implemented to prevent further attacks.
A Bored Ape Yacht Club (BAYC) pop-up advert appeared on CoinGecko, Etherscan, and DEXTools for approximately one hour, Coinzilla claimed. Visitors were prompted to connect their MetaMask wallet in order to participate in an NFT giveaway.
If successful, the phishing scam would drain the connected MetaMask wallet of wrapped-Ethereum (wETH).
- Asked visitors to connect their MetaMask wallet to take part in a giveaway,
- told them they had won a free BAYC NFT,
- and then urged the user to sign the message and approve access to the wallet to receive the NFT.
To pull off the attack, an unidentified hacker or group of hackers purchased a banner ad campaign on Coinzilla to promote an affiliate link for BC.game, one of its biggest clients.
Malicious code added to the banner then prompted the three websites to display the BAYC pop-up ad which asked for viewers’ MetaMask wallet.
Coinzilla says new measures will prevent another MetaMask phishing scam
Coinzilla distributes adverts to more than 600 crypto sites, including crypto exchange Crypto.com, blockchain explorer BSCscan, and news outlet CryptoPotato.
In a statement released in response to the attack, Coinzilla said its team pulled all banner adverts from the network for manual review and quickly discovered the source of the attack was not BC.game.
Speaking to Protos, Coinzilla general manager Stefan Lufta explained that the hack infiltrated web browsers without commandeering the sites that the pop-ups appeared on.
“It was just a coordinated attack by some people that took advantage of a vulnerability on browser level.”
“NO CODE has been injected on the publisher website, they just had the chance to control [the browser] for a small period,” Lufta said in an email (his emphasis).
Lufta added he was grateful for the quick response from the community and newly implemented measures will prevent future similar attacks.
“It was an unfortunate event but all the new measures we took now makes it impossible for other attacks like this to happen,” he said (his emphasis).
In any case, recent BAYC NFT phishing scams have been incredibly lucrative for scammers. In March, BAYC fans lost around $160,000 worth of NFTs in an Ape Coin airdrop scam. Last month, scammers walked away with 24 Bored Apes and 30 Mutant Apes worth millions of dollars, in a scam that promised free land in Yuga Lab’s metaverse.