Give me your coins: Phishing and Scamming Techniques on Cryptocurrencies

(image source: https://medium.com/@AntiScam_94721/stopping-the-slack-phishing-emails-gmail-7ff2a99725c4) Cryptocurrencies craze have been rapidly increasing as the difficulty of owning cryptocurrencies have become negligible recently. While more individuals are jumping on the bandwagon, criminals are switching their focus to steal your coins through various means. Among the most effective means are social engineering and phishing techniques, with millions of US dollars being stolen from cryptocurrency investors

Loh Soon BockBy: Loh Soon Bock, Mar 23, 2018
TwitterFacebookLinkedIn


(image source: https://medium.com/@AntiScam_94721/stopping-the-slack-phishing-emails-gmail-7ff2a99725c4)


Cryptocurrencies craze have been rapidly increasing as the difficulty of owning cryptocurrencies have become negligible recently.

While more individuals are jumping on the bandwagon, criminals are switching their focus to steal your coins through various means. Among the most effective means are social engineering and phishing techniques, with millions of US dollars being stolen from cryptocurrency investors due to phishing scams. Recently, Cryptocurrency Exchange Website Binance announced that several of its users were the target of phishing attacks and their accounts were compromised by the attacker. However, Binance managed to prevent the attacker from stealing any funds by stopping all withdrawal requests. We will now look at how we can protect ourselves from such phishing scams.

 

1. General Phishing Awareness

It is very important that we know how to detect a phishing email as criminals are getting smarter and its phishing emails are hard to distinguish from genuine emails. The following are some pointers to detect phishing emails.

  1. Poor English Grammar - Typically, phishing emails are written in poor English so it is one of the first few signs to detect such emails. If you are investing your money on a company, you would expect the company to send a proper email with proper English Grammar at the very least.
  2. Suspicious-looking Email address - The next obvious sign will be the email address, especially the long ones. E.g.  admin@mail.cryto-tothemoon.telegramico.com
  3. Asking for passwords or private keys - Never ever give your passwords or private keys to anyone, not even your friends. Basic security 101.
  4. Asking you to send cryptocurrency to a wallet - Similar to passwords, never send any cryptocurrencies to unknown wallet addresses that are sent in emails, unless you are expecting one. In that case, you should verify that wallet address first before sending it.


Bee Token ICO Phishing Email


Besides detecting phishing emails, phishing websites are also on the rise. It is important to ensure the URL points to the correct domain name and the browser’s green lock is present. The green lock tells you that the website you currently visiting is using a secure channel.

Secure Lock on Chrome Browser

Without the green lock, all sensitive information, such as your password, OTP and private keys, that you sending over may get intercepted by criminals, especially if you are using open Wifi at a cafe. Do take extra precaution when you are logging in to the crypto-exchanges.

 

2. Good practices to detect cryptocurrency scams and phishing

Defending against general phishing is not sufficient as criminals and scammers are using more sophisticated techniques to trick investors and traders. Binance Phishing, Bitconnect scam and Loopx ICO scam are some of the few examples of how far criminals will go to steal your money. However, knowing how to do proper research on ICOs and be vigilant when investing in or trading cryptocurrencies can prevent criminals and scammers stealing or cheating your coins or tokens. Here are some tips on how to protect yourself from these people:

    1. Invest in ICOs with care - Do sufficient research on the company, team, products or services and whitepaper. Beware of the hype and advertisements on the short-term gains. If it sounds too good to be true, it is usually not true.
    2. Verify the recipient’s wallet address and ensure it belongs to them - Ethereum has a service called Ethereum Name Service. It resolves human-readable names to a wallet address. Most ICOs will register their name on this service so their investors can transfer their coins to the correct wallet. If they did not register such services, you can use EtherScan or ethplorer.io to look at the list of transactions or smart contracts for that particular wallet. Typically, the wallet will be tied to the token contract so you can ensure that you are investing in the right ICO token.
    3. Do not give your account’s API key to any 3rd-party service - API keys are like the combination of your username and password. These keys can access your account and perform transactions and withdrawals on your behalf. Know the risk and accept the risk when you give these “passwords” to anyone.
    4. Never send cryptocurrency to a wallet from an email - No ICO or cryptocurrency exchange will email you to transfer cryptocurrency to their wallet. If they do, you should go to their official website to find their support email address and send an email to verify the wallet address again to confirm.
    5. Scams in Emails, Telegram or Slack chats - Many scammers are now targeting gullible users onofficial Telegram or Slack chats of any cryptocurrency. They try to impersonate the admin of the chats and try to scam the user sending cryptocurrencies to them. They may also private message or email you for an extremely lucrative deal but with a price. A popular example is promising you a return of 1 btc within 3 months if you invest in them for 0.01 btc. Usually these deals are empty promises and they will be gone and uncontactable once you send them your coins.

To conclude, cryptocurrencies are very popular and many individuals want to jump on the ride to earn quick bucks. However, these people do not know how to protect themselves from scams and understanding the risks they are taking. I believe it is important for everyone to know how to detect such scams and phishing techniques so that we can have a safer global cryptocurrency community. I hope everyone invests and trades safely in cryptocurrencies. To the mooooon!!!

 

Try our free security consulting!

 

related articles: https://blog.horangi.com/be-in-a-position-of-strength-auditing-ico-and-cryptocurrency

 

Loh Soon Bock
By: Loh Soon Bock, Mar 23, 2018

Soon Bock (OSCP, CRT, CISSP) is a Horangi CyberOps Consultant who specializes in penetration testing and secure code review. He enjoys looking out for new challenges to exploit. Outside his work life, he enjoys travelling and hanging out with friends doing all sorts of stuff.

TwitterFacebookLinkedIn

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.