I have catch-all email setup and the few specialty accounts I have setup on my mastodon server have been getting phishing emails for a MetaMask 2FA warning (which I've never heard of.)

Some emails are just coming to standard usernames that don't exist.

Catch-all email is a mailbox that receives emails sent to non-existing, invalid or misspelled email addresses within a domain

I guess whatever bot is scrapping the web is thinking Mastodon and Fediverse handles are email addresses since they look like them for all intents and purposes.

#MastoAdmin #Phishing #MetaMask #Infosec #email

Anyone else have catch-all setup and getting them emails to fediverse user handles on your server in your catch-all email account?

**Greg Slepak** @taoeffect@crib.social · 16 août 2024

16 août 2024

Greg Slepak @taoeffect@crib.social

Phishing email exploiting #KYC fears on #MetaMask users.

**Carl (He/Him)** @nitpicking@mstdn.party · 25 juil. 2024

25 juil. 2024

Carl (He/Him) @nitpicking@mstdn.party

I just got email asking me to activate my MetaMask 2-factor authentication. Thing is, I have never owned or traded #CryptoCurrency and had to look up what #MetaMask was. (According to search results, it's a crypto/NFT wallet.) So, fairly typical #scam, but crypto traders are especially vulnerable because there are few to no legal protections once the Ethereum or whatever is out of your wallet.

**LSDM** @lsdm@mamot.fr · 9 avr. 2024

9 avr. 2024

LSDM @lsdm@mamot.fr

Des milliers de site WordPress vérolés par de fausses pubs de crypto.

Des milliers de sites WordPress piratés affichent de faux NFT et des pop-up de réduction, incitant les visiteurs à connecter leurs portefeuilles à des draineurs de cryptomonnaies.

#CMS #wordpress #NFT #cryptomonnaie #LiteSpeed #haw #Metamask #Coinbase #Ledger #TrustWallet

https://lsdm.live/modules/news/article.php?storyid=5016

**dispatch** @dispatch@ioc.exchange · 4 avr. 2024

4 avr. 2024

dispatch @dispatch@ioc.exchange

Fake Lawsuit Threat Exposes Privnote Phishing Sites https://krebsonsecurity.com/2024/04/fake-lawsuit-threat-exposes-privnote-phishing-sites/ #Russia'sWaronUkraine #ALittleSunshine #AlexandrErmakov #LatestWarnings #TaylorMonahan #privnote.com #Breadcrumbs #WebFraud2.0 #AndreySokol #Tornote.io #fory66399 #MetaMask #Privnote #Hkleaks

krebsonsecurity.comFake Lawsuit Threat Exposes Privnote Phishing Sites – Krebs on Security

**silverpill** @silverpill@mitra.social · 21 sept. 2023

21 sept. 2023

silverpill @silverpill@mitra.social

How to set up key-based identity in Mitra

Mitra implements a mechanism for migrating your connections from one server to another, which works even if your current server is offline. At the moment, this mechanism is only supported by Mitra. People who use different software won't be able to connect automatically to your new account, so the more of your contacts use #Mitra, the less connections you lose during migration. It's not very difficult for other developers to implement it though, and it's documented in FEP-7628 and FEP-c390.

For migration to work, two accounts must be linked to the same cryptographic key. To do that, you need to add a public key to your profile, then create a signature to prove the possession of the corresponding private key. You can think of this key as something that represents your primary identity and your fediverse accounts as temporary aliases. Mitra currently supports two signing tools: Minisign and Metamask.

Minisign

#Minisign is a command line tool. It might be difficult to use, but it is secure and doesn't violate your privacy.

1. Install Minisign. The tool is available in most Linux distros. For example, on Debian you can simply run apt install minisign.
2. Generate a key pair: minisign -G.
3. Go to your profile page, click on three dots to open the profile menu and select "Link minisign key".
4. Tell Minisign to export your public key:

minisign -R -f -p minisign.pub

Copy the text from minisign.pub file and paste it into the form. Press "Generate message" button.

5. Run displayed commands to create a signature. The first one (starting with printf) creates a file that needs to be signed. The second one

minisign -S -l -m message -x message.sig

creates a signature. Copy the text from message.sig file and paste it into the form. Press "Submit".

Now, back up your social graph. Go to "Settings" and scroll down to the "Export" section. Download both follows and followers lists.

Metamask

#Metamask is a browser extension and a cryptocurrency wallet. It leaks the hash of your public key to third parties, has non-free license and has other shortcomings.

However, it is much easier to use than Minisign. If you have it installed, just go to your profile page, open dropdown menu and select "Link ethereum address". Follow the instructions and approve the signature request. Done!

Migration

If you need to migrate your connections, repeat the linking procedure with your new account. Then go to "Settings", find the "Experiments" section with "Import follows" and "Move followers" buttons, and upload your previously backed up lists. That's all.

In the future more identity verification methods will be added. For example, a client may generate a private key for you, and let you back it up as a passphrase. This is less secure, because you have to trust the server admin to not steal your private key, but it is much easier than using Minisign. Arguably, the tradeoff is acceptable.

Codeberg.orgfepsfeps