{"id":14014,"date":"2026-07-02T04:04:11","date_gmt":"2026-07-02T04:04:11","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/02\/33118\/"},"modified":"2026-07-02T04:04:11","modified_gmt":"2026-07-02T04:04:11","slug":"33118","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/02\/33118\/","title":{"rendered":"Why Ask Credentials If There Are Secret Codes?, (Wed, Jul 1st)"},"content":{"rendered":"\n<div>Why Ask Credentials If There Are Secret Codes?, (Wed, Jul 1st)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>This morning, an interesting phishing email hit my mailbox. It targets Metamask[<a href=\"https:\/\/metamask.io\/\">1<\/a>], a cryptocurrency wallet, available as a browser extension and a mobile app, that lets users store, send, and receive crypto money. It\u2019s pretty popular, so a juicy target for criminals. In February, I already mentioned a campaign against them[<a href=\"https:\/\/isc.sans.edu\/diary\/Fake+Incident+Report+Used+in+Phishing+Campaign\/32722\">2<\/a>].<\/p>\n<p>Today\u2019s email was different and used another approach. Most services that we use daily ask us to implement a 2nd authentication factor. That makes simple credentials useless if you can\u2019t interact with the victim and grab the temporary token, code, \u2026<\/p>\n<p>But most services also offer a \u201cpassword recovery\u201d process. In the case of Metamask, it\u2019s based on your secret security phrase that you created during the account creation process[<a href=\"https:\/\/support.metamask.io\/configure\/wallet\/how-can-i-reset-my-password\/\">3<\/a>]. That\u2019s exactly the target of this phishing campaign. They ask you to provide this secret phrase.<\/p>\n<p>First, they put some pressure on you, pretending that your wallet is at risk:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260701-1.png?ssl=1\" style=\"width: 800px; height: 590px;\"><\/p>\n<p>Then, they ask you to provide your secret phrase:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260701-2.png?ssl=1\" style=\"width: 800px; height: 809px;\"><\/p>\n<p>The campaing relies on the domain captchasolve[.]help that has been registered two days ago.<\/p>\n<p>[1] <a href=\"https:\/\/metamask.io\/\">https:\/\/metamask.io<\/a><br \/>\n[2] <a href=\"https:\/\/isc.sans.edu\/diary\/Fake+Incident+Report+Used+in+Phishing+Campaign\/32722\">https:\/\/isc.sans.edu\/diary\/Fake+Incident+Report+Used+in+Phishing+Campaign\/32722<\/a><br \/>\n[3] <a href=\"https:\/\/support.metamask.io\/configure\/wallet\/how-can-i-reset-my-password\/\">https:\/\/support.metamask.io\/configure\/wallet\/how-can-i-reset-my-password\/<\/a><\/p>\n<p><b>Xavier Mertens (@xme)<\/b><br \/>\nXameco<br \/>\nSenior ISC Handler &#8211; Freelance Cyber Security Consultant<br \/>\n<a href=\"https:\/\/raw.githubusercontent.com\/xme\/pgp\/refs\/heads\/main\/public.key\">PGP Key<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/33118\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why Ask Credentials If There Are Secret Codes?, (Wed, Jul 1st) This morning, an interesting phishing email hit my mailbox. It targets Metamask[1], a cryptocurrency wallet, available as a browser extension and a mobile app, that lets users store, send, and receive crypto money. It\u2019s pretty popular, so a juicy target for criminals. In February, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-14014","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14014"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14014"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14014\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}