As the popularity of cryptocurrencies continues to grow, so does the number of cyber-attacks that target crypto investors. Hackers are becoming increasingly sophisticated in their methods, and one of the latest threats comes in the form of social engineering.
As Secure as the Blockchain technology protecting our Cryptocurrencies may be, humans still have our own vulnerabilities. Social Engineering is a term used to describe ways to “hack people” rather than tech. Regardless of how technologically secure we may build our systems, if you are unprepared to deal with a social engineer they can and will gain access to your secure accounts. These types of attacks exploit your sense of urgency in an attempt to shorten your time to think before acting. There are an infinite number of ways that someone may be socially engineered. The attack may be used to steal funds, information, gain access, or simply build rapport to make a future attack more likely to succeed. A few specific types of social engineering attacks stand out when it comes to gaining access to your crypto wallet. These attacks are Session hijacking and SIM Swapping. These two attacks can be devastating to the ill-prepared. They are however easily mitigated for those who have been educated on the topic of social engineering.
Session Hijacking involves a bad actor intercepting the traffic between their victim and what the victim believes to be a legitimate website. From a phishing email address, an attacker may send the victim a message urgently requesting them to login to one of their accounts and provide a link for the victim to use. This link will then take the victim to a website that looks identical to the one they were attempting to reach. This link actually leads to a Man-in-the-Middle attack site. Such sites are created by the attacker to view the traffic between the victim and the website as they log in.
Once their credentials have been entered, the victim is granted access to the website as normal, and an Access Control Token (ACT) will be generated. This ACT can then be intercepted by the attacker in plain text. The attacker will then visit the website that the victim just logged in to, open the developer tools, navigate to the console, and paste the ACT to be granted full access. Even though the attacker does not go through any of the steps necessary to log in to the victims account, the website sees the ACT has been provided and grants access. The site has no way of knowing the ACT was provided by someone other than the account owner.
There are simple ways to mitigate these forms of phishing attacks. Do Your due diligence checks on any email received should include checking the address it originated from for typos. This can be tricky as characters such as: I (capital i) and l (lower case L) can look identical. Copying and pasting the address into a text document to modify the capitalization of the address as a whole is helpful in ensuring the email address is correct.
The best mitigation to the risk of navigating to a spoofed website from a phishing email would be to bookmark the correct website beforehand. This way if you do receive an urgent email asking you to log in to your account, you can navigate to the site from the known good URL saved in your bookmarks. If you do not have the website bookmarked, you can at least verify the URL behind the link by hovering your mouse over it. This gives you an opportunity to check the website’s legitimacy without visiting the page.
Now, it is important for you to be on the lookout for these kinds of attacks because we’re not out of the woods yet. When it comes to social attacks on your wallets, you as the owner may not be the only target. A common example would be attackers targeting your cell phone carrier in an attempt to gain access to your accounts.
Many financial institutions offer a Multi Factor Authentication method (MFA). The most common MFA Method used is a SMS verification code. This works by typing in your user ID and password online, then receiving an SMS message with a verification code for you to input on your log in page.
If an attacker gains access to your password (which happens a lot more often than many would think) and they now need a way to access the verification code that will be sent to your phone. Then, a determined attacker would turn their sights to your cell phone carrier. By calling the customer service desk at your cell phone company, a social engineer may be able to convince them to perform a SIM Swap.
A SIM Swap is where the carrier switches your phone number to a new phone (one within the attacker’s possession). This is a well-documented form of attack. If this is successful, the attacker would then be receiving any calls and texts meant for you, including your verification codes from websites you have this form of MFA setup on. This July, a person in Florida lost upwards of $18,000 from their crypto wallet due to a sophisticated SIM-swapping attack.
Since we can’t defend others against phishing attacks the way we can defend ourselves, this poses a serious vulnerability. The mitigation for a socially engineered SIM Swap would be utilizing an authenticator application designed for this kind of security. Some good examples of such apps would be Duo Mobile, Lastpass, Google Authenticator, and Microsoft Authenticator. These Apps generate verification codes and have their own login information that you would create.
Overall, there are many ways that social engineers can take control of your cryptocurrency accounts. Some of these methods are simple, whilst others are more complex. The prevention methods for both simple and complex attacks generally remain the same or similar. Ensure that any emails, text messages, or phone calls regarding your cryptocurrency services are properly vetted.
Only visit known good URL’s and websites that are trustworthy. Be aware that social engineers will go to great lengths to compromise your accounts if they believe that the payout is worth it. Experienced malicious actors will spend a significant amount of time learning about you, profiling your digital presence, and finally launching an attack. Stay SAFE out there, Crypto World.
- Cyber Security Ninja at MetaBlaze