Bitcoin and other cryptocurrencies have traditionally attracted the attention of fraudsters of various caliber, who not only use them in their illegal activities, but also actively steal not only from exchanges, but also from ordinary users.
Using advanced technology, hackers find new ways to withdraw funds, but the basic and time-tested methods remain the same, because every day new people enter the cryptocurrency space, who often do not have an adequate level of knowledge and awareness to counteract such attacks.
Below are the main tricks and tricks of hackers, knowing that users can at least protect their coins.
Social engineering and phishing
Social engineering is understood as a set of exchange methods forcing users to perform actions on sites or in applications that may harm them. One of these very popular methods is phishing – creating sites-clones of known resources that force users to disclose their personal data, including passwords, phone numbers, bank card details, and in recent years, private keys for cryptocurrency wallets .
Links to phishing sites can be distributed in different ways – these are advertisements in social networks, and emails that copy the look of mailings from official projects. All this is done for the sole purpose of forcing the inattentive user to go to the fake website and enter personal data there.
According to Chainalysis, in the cryptocurrency space, phishing remained the most profitable fraudulent method for 2017 and 2018. However, if in 2017 its share accounted for more than 88% of all fraudulent schemes, then in 2018 this method became less effective, and its success rate dropped to 38.7%.
Nevertheless, the danger of becoming a victim of a phishing attack remains. Among the latest such incidents can be identified attacks on the popular Electrum wallet in December 2018 and April 2019. Often, at the same time, attacks were conducted on altcoin wallets .
In addition, lately, Bitfinex and Binance exchanges, Trezor hardware wallet, LocalBitcoins platform for buying and selling Bitcoins , as well as users of social networks, such as Facebook, have become victims of phishing attacks. In the latter case, the attackers copy the pages of popular cryptocurrency communities, after which they use photos of the participants in real communities, marking them in the post as winners of the platform loyalty program.
The importance of the fight against phishing is given by the leading representatives of the industry, is fully indicated by the fact that in April of this year, Binance Labs, the venture division of the Binance cryptocurrency exchange , made an investment in PhishFort. This company specializes in solutions for protection against phishing attacks and focuses on businesses at high risk, such as bitcoin exchanges, ICO projects and platforms for the production of tokens.
The recommendations for protection against phishing attacks are quite simple: increasing general computer literacy, personal attention (manually entering the URL and checking the use of the https protocol), as well as the default distrust of ads offering free distribution of cryptocurrencies.
Trojan viruses
These numerous viruses are a type of malware that infiltrates a computer under the guise of legitimate software.
This category includes programs that perform various actions not confirmed by the user:
- collection of information on bank cards,
- computer malfunction
- using computer resources for mining purposes,
- using IP for illegal trade, etc.
But the ingenuity of hackers is not worth it. So, in 2018, a new version of the infamous Win32.Rakhni Trojan was discovered. This virus has been known since 2013, but if at first it focused solely on encrypting devices and demanding ransom for unlocking, then the new version went much further.
For a start, it checks for the presence of folders associated with bitcoin wallets , and if they are found, encrypts the computer and requires a ransom. However, if no such folders were found, Win32.Rakhni installs a malware that steals the computing power of a computer for the purpose of hidden mining cryptocurrencies , as well as trying to spread to other devices on the network.
At the same time, as seen in the image above, more than 95% of all cases of computer infection with this trojan were in Russia, second and third places went to Kazakhstan and Ukraine.
According to Kaspersky Labs , Win32.Rakhni is most often distributed through e-mails in which users are invited to open the attached pdf-file, but instead of the expected content, a malware program is launched.
As in the case of phishing attacks to prevent contamination of devices, it is necessary to observe basic computer hygiene and be extremely attentive to opening investments.
Keyloggers
Malicious programs often consist of several components, each of which performs its own task. In fact, they can be compared with Swiss army knives – with their help, hackers can perform many different actions on the attacked system.
One of the most popular components in attacks is the so-called keyloggers. They are a highly specialized tool that records all keystrokes on devices. With it, attackers can quietly seize all confidential user information, including passwords and keys to cryptocurrency wallets.
Most often, keyloggers penetrate into systems with the composition of complex malicious software, but sometimes they can be embedded in completely legal software.
Manufacturers of anti-virus solutions, as a rule, add well-known keyloggers to their databases, and the method of protection against them is not much different from the method of protection against any other malicious software. The problem is that there are a huge number of keyloggers, and it's physically very difficult to keep track of everyone. For this reason, spyware on the first attempt is often not detected by antivirus.
Nevertheless, the usual computer hygiene and the use of special software can be a good help in combating this type of attack.
Public Wi-Fi networks
Stealing funds through publicly available Wi-Fi networks has always been and remains one of the most popular tools of intruders.
Most Wi-Fi routers use the WPA (Wi-Fi Protected Access) protocol, which not only encrypts all information in the wireless network, but also provides access to it only to authorized users.
However, hackers found a loophole here: by launching a simple KRACK command, they force the victim's device to reconnect to its own Wi-Fi network, and then have the opportunity to monitor and control all the information passing through it, including the keys to cryptocurrency wallets.
Regular updates of the router's firmware help, as well as your own care to protect yourself from such an attack: you should never carry out transactions while in public places, such as stations, airports, hotels, or – which happens quite often among representatives of the Bitcoin community – at blockchain conferences.
Slack bots
There is a fairly large number of bots for Slack, which hackers successfully adopt. As a rule, such bots send the user a notification about the presence of problems with his wallet. The ultimate goal is to force the user to click on the notification and enter the private key.
The most large-scale successful hacker attack, during which bots for Slack were involved, was the incident with the Enigma project in August 2017. At that time, the project was forced to suspend ECAT pre-sale tokens after unknown attackers hacked the project's website and, specifying a false ETH-address, deprived it of more than $ 400,000.
In addition, Enigma representatives confirmed that the Slack chat project was also compromised:
Recommendations: ignore such messages, send complaints to the bots distributing them, install protection on the Slack channel (for example, security bots Metacert or Webroot).
SMS and SIM Swapping authentication
SMS authentication is still a very common method of verifying various transactions, including cryptocurrency transactions. However, in September 2017, the Positive Technologies company specializing in cybersecurity demonstrated how easy it is to intercept SMS with a password sent via the Signaling System 7 (SS7) protocol.
The demonstration was conducted on the example of an account on the platform Coinbase, which was attached to the mail on Gmail. At first glance, it might seem that this is a question of vulnerability on the side of Coinbase , but in reality, the proprietary tool used by Positive Technologies used weaknesses in the cellular network itself.
By redirecting text messages to their own number, the researchers were able to reset and set a new password in the mail, after which they received full access to the wallet.
In this case, the experiment was conducted for research purposes, and the actual theft of coins did not happen, but its results showed that this method could well be used by real criminals.
In this material, Hacken experts also listed the main options for intercepting SMS:
- Wiretapping . Interception of SMS by law enforcement officers due to excess of official authority or misuse of secret investigative actions.
- Duplication (cloning) of a SIM card through a cellular operator using personal customer data and further use of a cloned SIM card in illegal activities.
- False base station to intercept and decrypt all incoming subscriber messages and further use of intercepted data in illegal activities.
- Hacking the “Personal Cabinet” of the subscriber on the website or application of the cellular operator and redirecting all messages to the attacker's address, as well as further use of the data obtained in illegal activities.
In this list, the second item is also interesting – cloning (replacing) the SIM card. This method is known as SIM Swapping, and the first high-profile case is already known when it was used to steal $ 14 million cryptocurrency.
We are talking about a case that occurred in 2018 when two hackers were arrested in the United States who managed to convince the mobile operator to transfer control of the number to them, where there was two-factor authentication to the Crowd Machine project administrator’s account.
Recommendation: Refusal of verification via SMS in favor of special programs for two-factor authentication (2FA), for example, Google Authenticator.
Mobile applications
The victims of hackers most often become the owners of devices on Android, instead of 2FA using only a login and password. This also happens because the process of adding apps to the Google Play Store is less strict than that of the App Store. The intruders use this by placing their own applications that mimic known wallets and exchanges, and lure confused data from inattentive users.
One of the high-profile stories with fake apps was linked to the Poloniex exchange . In November 2017, ESET experts discovered a program on Google Play that pretended to be the official mobile application of this American exchange. The essence of the fraud was that the users who downloaded the program entered their username and password. This allowed the creators of the virus to independently change the settings, perform transactions, as well as get access to users' mail.
Despite the fact that at that time Poloniex did not have official mobile applications (they were released only in July 2018), two versions of fake applications were installed by more than 5 thousand people. Following an ESET warning, they were removed from Google Play.
Also on Google Play were fake apps MetaMask and Trezor Mobile Wallet.
Users of iOS devices are more likely to become victims of intruders distributing applications with built-in hidden mining. After finding this problem, Apple was forced to tighten the rules for accepting applications in the App Store. At the same time, the damage from such applications is quite small – they only reduce the performance of the computer, without taking away the funds.
Recommendations: Do not install applications that are not absolutely necessary. Do not forget about two-factor authentication, as well as check the links to applications on the official sites of projects and platforms to make sure they are authentic.
Extensions, plugins and add-ons for browsers
There are quite a few browser extensions and plugins designed to make interaction with cryptocurrency wallets easier and more comfortable. However, they are usually written in JavaScript, which makes them vulnerable to hacker attacks. It can be both about intercepting user data and further access to wallets, and about installing programs for hidden mining.
However, as noted by Check Point Software Technologies Ltd, hidden crypto miners remain the dominant threat to organizations around the world. So, in 2018, cryptominers consistently occupied the first four lines of the ratings of the most active threats and attacked 37% of organizations around the world. In 2019, despite the decline in the value of all cryptocurrencies, 20% of companies continue to be subjected to attacks of crypto miners every week.
There are several ways to counter this threat: install a separate browser or even a separate computer for trading, use the incognito mode, regularly update the anti-virus database and not download any dubious extensions or plug-ins.
Despite the fact that the main part of hacker attacks falls on exchanges and companies, they also do not overlook individual users. According to the results of last year’s research by Foley & Lardner, 71% of large traders and investors called cryptocurrency theft as the highest risk, while 31% called the activity of hackers a threat to the entire cryptocurrency industry.
Hackers, as a rule, go one step ahead of the entire industry; therefore, in addition to special protection programs, an equally important aspect of the fight against intruders is their own computer literacy of users and tracking the latest trends and events in the field of cybersecurity.
Publication date 06/22/2019
Share this material on social networks and leave your opinion in the comments below.
