As the market shares of Bitcoin take us on a rollercoaster ride, e-wallets, crypto exchanges, and other cryptocurrencies are popping up. New “crypto” apps offer mining services, exchange services, and even banking services. How will you navigate the potential security pitfalls of cryptocurrency scams?
We will examine some of the various ways bad actors are skimming the coffers of cryptocurrencies and what you as a consumer can do to avoid them.
Cryptocurrency Hack Attacks
With the era of social media and online news, fake news pushers have it easier than ever to create and spread online cryptocurrency scams by capitalizing on the gold rush. They simply mimic mainstream media web pages with catchy links, “Click here to earn one Bitcoin a day!” which bait users to enter their personal data and credit card information. Always remember, Think before you click! If it sounds too good to be true, then it usually is.
Another popular cryptocurrency scam is specialized phishing lures to penetrate cryptocurrency storage systems, such as mobile wallet apps, online exchanges, or trading apps. For example, Fortinet identified a phishing attack that invited investors to increase their gains by utilizing a trading bot application. The phishing email claimed that this app, Gunbot, automatically traded Bitcoins within set parameters to secure profits for investors. Recipients were encouraged to download the new trading bot, Gunbot attachment, but in actuality, it contained an executable that delivers Orcus Remote Access Terminal (RAT) malware.
RATs allow your computer or device to be controlled remotely. From there, it takes just a few keystrokes for the attacker to gain admin rights, which in turn gives him/her access to account and password information that may be stored in the far reaches of your device’s memory. The attacker may even strike gold if you have any Bitcoins or other cryptocurrencies that are stored on the hard drive.
Mining cryptocurrencies takes a lot of resources and computational power. In fact, electricity is the number one operational cost to a Bitcoin miner. For that reason, nefarious hackers have resorted to “borrowing” resources by spreading Bitcoin-mining malware. Many of the current malware botnets are created to mine Bitcoins, whether they’re injected into computers, smart phones, or IoT gadgets. Although their intent isn’t malicious, it’s still unauthorized use of someone else’s property, and it costs the victim money and slows down the hijacked devices. If your battery is dying faster than usual or your device is running slower than normal, then you should scan your system with updated antivirus/anti-malware software.
Crypto-currencies often store their value in file stores known as e-wallets. Wallets can be compromised, manipulated, stolen, and transferred, just like any other data stored on a computer. Kaspersky Lab recently detected a new attack strain called CryptoShuffler. The technique uses simple copy-and-paste tactics to steal valuable Bitcoins from unsuspecting users, straight out of their wallets. Most experts recommend keeping your value in an offline wallet that can’t be accessed by malware or hackers.
Bad actors create fake e-wallets to take advantage of people new to Bitcoin and other digital currencies as they are less likely to recognize fake apps. Lookout recently discovered three fake Bitcoin wallet Android apps in the Google Play Store that trick people into sending cybercriminals Bitcoins. Some of the apps had thousands of downloads. Fortunately, Google has since pulled them from the store. But more crop up every day as the craze for cryptocurrencies hungers on.
Crypto-currency trojans monitor your computer waiting for what looks like the format of a crypto-currency account number. When it spots one, it “awakens” and replaces the intended account you are transferring value to with their account number. Unless you are aware of the switch, it will be game over if you hit the Send button.
Inherent Programming Weaknesses
Like any crypto implementation, the cryptologic algorithm is almost always far more sound than the program that implements it. In general, blockchaining can suffer from a programming bug or lack of good private key security (or Bitcoin wallets) which will, in turn, compromise the whole system. So, before you use a cryptocurrency or get involved in a blockchain project, make sure the software programmers are applying secure development lifecycle (SDL) processes to minimize bugs. And, protect your private crypto keys as you would the key to your house, or better yet, your safe.
Known Plaintext Crib Attacks
Good crypto makes the resulting cryptotext look like random gibberish. Theoretically, a crypto-attacker should not be able to figure out what the original plaintext looked like. With any blockchain technology, however, the format of the blocks is not a secret and can be easy to figure out. Certain letters, characters, or numbers are always in the same places in every block. This allows crypto-attackers to “crib” a partial representation of the plaintext in every crypto protected block. Plus, every block is a function of the previous block. This weakens the overall protection of the underlying encryption cipher. If the cipher isn’t weak, it isn’t a huge problem, but it does give attackers a starting edge.
Many security experts wonder if SHA-256, which contains the same mathematical weaknesses as it’s shorter, very much related SHA-1 precedent, is a concern for Bitcoin and blockchain (both usually use SHA-256). The answer is not right now. SHA-256 is strong enough for the foreseeable future. More importantly, since most of the world’s financial transactions and HTTPS transactions are protected by SHA-256, when someone breaks it, we’ll have far bigger things to worry about than just Bitcoin and blockchains. “Although if you’re planning to make a cryptocurrency or blockchain, start planning for “crypto-agility,” which is the ability to replace ciphers and keep the underlying program,” suggests Roger A. Grimes, from CSO.
Sites Get Hacked
Some of the bigger hacks are ascribed to unscrupulous operators who run away with millions in ill-gotten gains. Other common hacking threads surrounding Bitcoin is how often the centralized website controlling the cyber currency gets hacked. One such example is Youbit, a South Korean Bitcoin exchange that had to file for bankruptcy after criminals stole almost one-fifth of its clients’ holdings in the second major cyber attack on its systems this year.
DDoS attacks against major cryptocurrency exchanges or vaults like Mt. Gox or more recently, Coincheck, can take down whole cryptocurrency systems resulting in either stolen funds or corrupted files that are rendered worthless. Make sure to back up your value into an offline location because an FDIC bailout is not likely to happen. Moreover, always do business with a cryptocurrency website that is well secured and trustworthy.
Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.
Avoid using two-factor authentication (2-FA) via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor, for example, Google Auth.
Whether you decide to join the craze or sit back and watch the rollercoaster’s dips and turns, here are a few cybersecurity tips that will be wise to follow:
- Research before investing to make sure your cryptocurrency website is well secured and trustworthy.
- Do not trust Twitter or other social media for investment advice since fake news is a pitfall.
- Think before you click! Do not fall for phishing scams or ads laced with malicious links.
- Report phishing scams, and don’t share or forward the lure to others.
- Closely monitor your cryptocurrency wallets, credit card accounts, and banking accounts.
- Be wary of social engineering attempts to steal your credentials.
- Routinely scan your computers, laptops, mobile phones, and other devices using updated and patched antivirus/anti-malware software.
- Avoid using two-factor authentication via SMS texts, rather use Google Auth.
Practicing routine cyber hygiene will help you avoid the hidden traps lying wait on the web.
Want to more tips? Read more at InspiredeLearning.