Victims first receive a scam email in stock colors asking them to confirm the transaction or indicate suspicious activity. Once redirected to the phishing site, users are required to fill in their login credentials and then in the next step type in the code obtained by multi-factor authentication. In the case of MetaMask, this is the recovery statement (seed) wanted. This information is directly retrieved by hackers, who can launch the next stage.
An error message is then displayed, followed by a customer support chat window showing a file scammers Engage directly in a discussion with the victim. The conversation initiated will give them time to empty the user’s account, but also to obtain any additional information necessary to transfer the funds. If the authentication code expires, you will be asked to generate a new one.
And if the scammers are unable to open their prey’s crypto account in spite of everything, they move on to an alternate stage. In order to make their terminal a “trusted device”, they must convince their victim to download TeamViewer remote assistance software, which allows remote access to computers. They then ask the crypto account owner to type their login information again, adding a letter in the password box to create an error there. After that, they ask to copy the password into the TeamViewer chat, which will allow them to log into the account on their computer. Thanks to this same program, they will be able to directly grab the link sent by email that aims to make the computer the trusted device for the account, and get access to it.