Scammers track every tweet that contains requests for support in MetaMask, TrustWallet and other popular crypto-wallets and respond to them with scam links within seconds.
To carry out these targeted phishing attacks, scammers are abusing Twitter APIs that allow them to track all public tweets about specific keywords or phrases.
If these phrases exist, these same programs will direct rogue-controlled Twitter bots to automatically respond to tweets as fake support agents with links to scams that steal cryptocurrency wallets.
These attacks are nothing new, and a report on them was made in May. However, these attacks have spread to other cryptocurrencies and scams continue to be rampant.
The anatomy of the Twitter crypto scam
In tests conducted by BleepingComputer, tweets containing the words "support" or "help" along with keywords such as "MetaMask", "Phantom", "Yoroi" and "Trust Wallet" will lead to almost instant Twitter responses bots with fake support forms or accounts.
Other keywords have mixed effects, such as wallet names and the word "stolen".
The first test of these cryptocurrency scam bots was to pack a tweet with a lot of keywords and let the sleepingcomputer see what was going on.
He then conducted further tests to try to limit which keywords would trigger the bot's responses.
Within seconds of the publication of our tests, we received responses from many scam accounts pretending to be MetaMask and TrustWallet support accounts, "previous victims" or useful users.
All scam-answers have a common purpose - to steal recovery phrases for a victim's wallet, which intruders can use to insert the wallet into their own devices.
To steal recovery phrases, intimidators set up support forms in Google Docs and other platforms cloud.
These forms imply a basic support form, asking the user for his email address, the problem he is facing and the phrase of recovering his wallet, as shown by the fake MetaMask support form below.
When they request a retrieval phrase, they include silly expressions about its processing by the "encrypted cloud bot", possibly trying to persuade the user to post sensitive information.
Once the recovery phrase is sent to the intruders, the game is over and they now have full access to the cryptocurrency in your wallet and can transfer it to other wallets they control.
Before you assume that no one falls victim to these scams, unfortunately this is untrue and many Twitter users have had their wallets, cryptocurrencies and NFTs stolen.
Never share recovery phrases!
As a general rule, you should never share your wallet recovery phrase with anyone. The recovery phrase is just for you and no legitimate support person from MetaMask, TrustWallet or anywhere else will ask for it.
It is also important to remember not to share your screen with an unreliable user who will then ask you to display your recovery phrase. At that point, he can simply take a screenshot and then use it for their attacks.
Eventually, these attacks will continue, unless Twitter finds a way to prevent these bots from unbridled operation, restrict the use of specific keywords, or impose stricter controls on who can register on their developer platform.
Source of information: bleepingcomputer.com