🚨 SCAM ALERT: The “Clean PDF” MetaMask Phishing Wave

We have detected a sophisticated phishing campaign targeting MetaMask users worldwide. Unlike traditional scams that use malicious files, this attack uses “clean” PDF documents to bypass your email’s security filters.

🔍 How the Scam Works (The Vector)

1. The Hook: You receive an email warning of “Suspicious Login Activity” on your MetaMask account.
2. The Lure: The email includes a PDF attachment named Security_Reports.pdf.
3. The Bypass: Because the PDF is generated using a legitimate Python library (ReportLab) and contains no malware or viruses, standard antivirus and email scanners (like Gmail or Outlook) often mark it as “Safe.”
4. The Social Engineering: The PDF looks like a professional security incident report. It instructs you to “Enable 2FA” or “Verify your Identity” to secure your funds, providing a link to a “Security Portal.”
5. The Final Trap: The link leads to a fake MetaMask website hosted on Amazon Web Services (AWS) infrastructure. This makes the URL look legitimate (e.g., s3.amazonaws.com/...). Once there, you are asked to enter your 12-word Secret Recovery Phrase.

🚩 Red Flags to Watch For

• Unsolicited Security Alerts: MetaMask never sends unsolicited emails. They do not have your email address unless you have explicitly provided it for a support ticket.
• Requests for Your Seed Phrase: No legitimate crypto wallet, support agent, or “security update” will ever ask for your Secret Recovery Phrase.
• Links in PDFs: Be extremely wary of any PDF that asks you to click a link to “fix” a security issue.

🛡️ Preventive Education: How to Protect Yourself

• Verify the Sender: Always check the actual email address, not just the display name. Legitimate MetaMask support only comes from @metamask.io.
• Go to the Source: If you are worried about your account security, never click a link in an email. Instead, open your MetaMask browser extension or mobile app directly. If there is a real issue, you will see a notification inside the app.
• Use Hardware Wallets: For significant holdings, use a hardware wallet (like Ledger or Trezor). This ensures your private keys never touch an internet-connected device, making them immune to these fake websites.
• Enable 2FA on Your Email: Since many crypto-related accounts are linked to your email, ensure your email itself is protected by a hardware security key (like a YubiKey) or an authenticator app.

ShieldGuard Reminder: Your Secret Recovery Phrase is the “Master Key” to your money. If you share it, your funds are gone forever. Stay Alert. Stay Protected.