In our previous article on cryptocurrency security, we touched on the Pump and Dump scheme. This week, we would like to discuss Phishing.
In our previous article on cryptocurrency security, we touched on the Pump and Dump scheme. This week, we would like to discuss Phishing.
What is Phishing?
The goal of phishing is to mimic the website or email (or even social media profile) of a real organization so that users think they are contacting a representative of the company, only to later discover that it is actually a fraudster on the other end.
Usually, the domain of the impersonating site is deceptively similar to the original and differs, for example, by one letter. The method itself is old and very popular outside the cryptocurrency world – attempts have been made to steal user information from sites such as Adobe, Blizzard, Microsoft, Google and hundreds of others.
After successfully impersonating an organization, fraudsters will want to obtain sensitive user data. The victim, thinking they are logging into the original service, gives the login and password to the fraudsters. It also often happens that the attacked person receives a fake email with a password reset requirement, which redirects to a fake page.
The most popular phishing for cryptocurrencies is done by pretending to be popular wallets (e.g. My Ether Wallet) or major ICOs that have just started (such as Bancor or Distric0x).
How does Phishing work?
Fraudsters choose well-known and widely recognized sites – My Ether Wallet is a very popular choice for investing in Ethereum or ERC-20 tokens. Many people also use it to invest in ICOs. Criminals “take inspiration” from various parts of the portal:
- address of the organization
- user interface
- email signature
- Social Media account name
Then they will try to register a name very similar to the original site. The real My Ether Wallet address is www.myetherwallet.com, so the scammers may try to buy the domain www.myethervvallet.com (double V) or www.myetherwallet.com.net. Then they will copy the user interface from My Ether Wallet and connect their own database to it.
Next, criminals on popular cryptocurrency channels, such as slack, reddit, or telegram, will choose a name that is appropriate for their purpose. A recent example is the registration of public profiles under the login “ether-security-team” or “vitalik-buterin”.
Then the scammers will send a message to as many people as possible informing them about a certain problem. Recently, impersonating the Ethereum DEV team, they informed about the need to enable 2FA, without which tokens and funds will be blocked.
Unaware users clicking on the myetherwallet.com link were actually taken to the myethervvallet.com (double V) page where they were supposed to enter their confidential data. In this way, users were handing over their private keys, passwords, and other valuable information.
After providing information, fraudsters have direct access to logins and passwords or private keys, and thus to funds. Remember that once a transaction is made, it is no longer possible to reverse it.
When falling victim to phishing, even 2FA security may not help us. When logging in to, for example, a site that pretends to be an exchange, the service may also require a 2FA token, which, as we know, can be valid for up to a minute. It only takes a dozen or so seconds for the fraudster’s bot to manage to, for example, withdraw funds from the original exchange.
How to avoid becoming a victim?
There are several ways you can reduce the risk of being scammed.
1. Do not click on links, enter the address manually or use your bookmarks
Always be suspicious of links sent via private messages or email, or even those that a search engine throws at you. Paid commercial (advertising) links from fake sites will rank higher in search results than authentic ones.
2.Check the site certificate
Before logging in to a given site, you should always verify the validity of the certificate and whether it was issued (and by whom) for a given address. You can check the certificate by clicking the green padlock next to the browser’s address bar, usually.
3.Multiple confirmation
It may happen that you get a message about the need to update, for example, the wallet you are using with a link to fake software. Do not trust even emails from the correct domain without limits, even such emails are easy to fake. If a critical error appears in a given software, it is announced through the organization’s website, its fanpage, or even the media. Always verify information from multiple sources.
4.Contact only through official channels
Projects contact users mainly via email, reddit, or slack. If you receive information from another source, you can assume it’s a scam and ignore it.
5.Do not open attachments
Never, under any circumstances, open attachments with alleged updates or other files that seem harmless. Remember that scammers use very clever social engineering that has fooled many advanced Internet users.
6.Join the community
It is very important to inform each other. A well-known case was recently a phishing scam impersonating Bittrex, which was reported by one of the users in the group Cryptocurrencies – Fraudsters
JPKTraders.pl
