Victims first receive a fraudulent email in the colors of the exchange asking them to confirm a transaction or indicating suspicious activity. Once redirected to the phishing site, users are asked to fill in their login credentials, then in the next step type in the code obtained by multi-factor authentication. In the case of MetaMask, this is the recovery phrase (seed) that is requested. This information is directly retrieved by hackers, who can launch the next phase.
An error message is then displayed, followed by the appearance of a customer support chat window in which the scammers directly engage in discussion with the victim. The conversation started will give them time to empty the user’s account, but also to obtain any additional information necessary for the transfer of funds. If the authentication code expires, you will be asked to generate a new one.
And if despite everything the scammers are unable to open the crypto account of their prey, they go to an alternative stage. In order to make their terminal a “trusted device”, they must convince their victim to download the TeamViewer remote assistance software, which allows remote access to computers. They then ask the owner of the crypto account to type their login information again, while adding a character in the password box to generate an error there. Then they ask for the password to be copied into the TeamViewer chat, which allows them to log in to the account on their computer. Thanks to this same software, they will be able to directly seize the link sent by email intended to make a computer the trusted device of the account, and obtain access to it.