Email Attacks

Phishing: [MetaMask] New Device Confirmation

Your account and your wallet have been temporarily blocked to prevent you from losing your assets. Download the attached file to re-activate your wallet.

Attcking email

Complete Email

From: MetaMask <noreply@ncste.kz>
Subject: [MetaMask] New Device Confirmation
Attachments: RemovedDevice.html (86.19 KB)

Email Body

We noticed an attempted login to your Metamask from a location you have not used before, we want to verify that this was indeed you.
To assist you with reactivating your wallet, we have provided detailed instructions in the attached file

Your account and your wallet have been temporarily blocked to prevent you from losing your assets.

How can I recover my account?
Download the attached file to re-activate your wallet.
After completing the process, enable Two-Factor Authentication.

© 2024 MetaMask. All rights reserved.

Red Flags

This email shows several warning signs that it is likely a phishing attempt, designed to compromise your MetaMask wallet and potentially steal your assets. Here’s an analysis of the suspicious aspects of the email:

1. Suspicious Sender Domain

  • From Address: The email claims to be from MetaMask but is sent from noreply@ncste.kz, which is a .kz domain for Kazakhstan. Official MetaMask communications would come from a domain affiliated with MetaMask or ConsenSys (the company behind MetaMask), such as @metamask.io or @consensys.net.

2. Use of an Attachment

  • Attachment: Phishing emails commonly include attachments (e.g., RemovedDevice.html) that prompt users to enter sensitive information on a fake page. MetaMask would never ask users to download an HTML file to recover their accounts. Instead, legitimate wallet recovery is handled within the app or on their official website.

3. Vague Language and Immediate Call to Action

  • "New Device Confirmation" and Account Blocked Message: The email uses alarming language, claiming that your account is temporarily blocked and urging you to recover your account immediately. Scammers use these tactics to make recipients act without thinking.
  • Download Instructions: MetaMask would never ask you to download a file to restore access to your wallet. Legitimate wallet recovery involves using a seed phrase (recovery phrase) within the official MetaMask app, not an HTML file.

4. Generic Security Advice

  • Two-Factor Authentication (2FA): While enabling 2FA is good practice, MetaMask doesn’t offer 2FA on wallet access, as it’s a decentralized wallet that relies on the seed phrase and private keys. This mention is another indicator of a phishing attempt.

Recommendations:

  1. Do Not Download or Open the Attachment: Opening the attached HTML file could expose you to a fake MetaMask login page designed to steal your seed phrase or other credentials.
  2. Do Not Respond: Avoid replying to this email, as this could confirm your email address to scammers.
  3. Log in Directly to MetaMask: If you’re concerned about your account security, open the official MetaMask app or go directly to metamask.io. Check for any suspicious activity there.
  4. Report and Delete: Mark the email as phishing in your email client to help protect others from similar attempts.

Conclusion:

This email is highly likely to be a phishing attempt. The strange sender domain, attachment with instructions to “reactivate” your wallet, and suspicious instructions make it clear this is not from MetaMask. To secure your wallet, only use the official MetaMask app and be vigilant against phishing scams like this one.