MetaMask / metamask-extension

:globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
https://metamask.io
Other
12.07k stars 4.93k forks source link

[Bug]: Angel Drainer Bypasses ETH-Phishing-Detection #28250

Open jeffreydurhamski opened 3 weeks ago

jeffreydurhamski commented 3 weeks ago

Describe the bug

Angel drainer a notorious drainer that has drained over $100m from Metamask users is bypassing phishing detection by changing their c2 domain every 5 minutes to avoid detection by the eth-phishing-detect module as the interval is 5 minutes.

You can see here their contract that calls "Change Data" every 5 minutes as soon as their workers.dev Cloudflare free domain ends up on the block list which typically happens in minutes. https://bscscan.com/address/0xd24aeC3254652B0ab565E41A945b491e98Bb5FFC

https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/refs/heads/main/src/config.json This whole list is just full of workers.dev domains which are used to proxy the malicious drainer software.

You should ban workers.dev url's completely as no actual legit website uses it and there are many patterns which they're using while sending these URL's.

Expected behavior

The eth-phishing detect is already detecting these url's but they're not being blocked yet because of the url's dynamically refreshing! Do this immediately.

Screenshots/Recordings

No response

Steps to reproduce

Visit a phishing site such as event-eigenfoundation.org and you will see that their c2 domains are not flagged as they should be, this is because they bypass this by launching a new domain each time the c2 block list is refreshed.

Error messages or log output

No response

Detection stage

In production (default)

Version

ANY

Build type

None

Browser

Chrome, Firefox, Microsoft Edge, Brave, Other (please elaborate in the "Additional Context" section)

Operating system

Windows, MacOS, Linux

Hardware wallet

No response

Additional context

No response

Severity

DanielTech21 commented 2 weeks ago

Hi @jeffreydurhamski

Thank you for bringing this security bug to our attention.

Our team will look into it.