MetaMask notified the cryptocurrency community of a new type of scam called “address poisoning”. Recent Posts.
This scam was rated as “harmless compared to other types of scams.” However, the company warns that address poisoning can trick unsuspecting users into losing their funds.
“address poisoning is an attack vector that, in contrast to other scams, often uses methods such as unlimited token authorization, phishing for secret recovery phrases, etc., which are very useful to many scammers. Relies above all on user carelessness and haste”
How “address poisoning” works
Address poisoning focuses on wallet addresses being long hexadecimal numbers that are hard to remember and easy to mistake for other similar addresses.
Encrypted addresses are often abbreviated to show the first few characters, a space, and the last few characters. Scammers exploit the tendency to trust the familiarity of the first and last few letters.
When trading, the usual routine consists of copying and pasting addresses. Many wallet providers, including MetaMask, have one-click functionality for copying addresses.
Address poisoning takes advantage of the user’s carelessness at this point in the transaction process. Specifically, scammers observe and track transactions of specific tokens and target stablecoins in general. The scammer then uses a “vanity” address generator to create an address that closely matches the target’s address, especially the first and last few characters.
Scammers send small transactions from newly generated addresses to targeted addresses. At this point, the latter becomes poisonous.
In the future, when users want to send transactions, they may accidentally copy the wrong address based on how familiar the first and last few characters are. Once executed, the funds are handed over to the crooks.
“And since on-chain transactions like this are immutable (once confirmed, they cannot be changed), lost funds cannot be recovered.”
Explains how Metamask keeps you safe
Unfortunately, the nature of public blockchains allows anyone, including fraudsters, to send transactions to any address they choose.
MetaMask reiterated the importance of checking all address characters, not just the first and last few characters, when sending funds.
“Let’s get into the habit of checking thoroughly” all characters of the address before submitting the transaction. That’s the only way to be absolutely sure you’re sending to the correct location. ”
Other strategies to avoid falling victim to address poisoning include not copying addresses using transaction history, whitelisting frequently used addresses to avoid copy and paste altogether, and paying especially large sums. For example, use a test transaction when sending money.