Phishing in Cryptomania: How to stay safe
Cryptocurrencies are all the hype these days. If you’re not invested yourself, you’ve probably heard most of your friends either warning each other of the extreme volatility or boasting how much they’ve made. Both the bulls and the bears have great arguments and high profile supporters. On the pro-cryptocurrency side there is billionaire cybersecurity founder and industry legend John McAfee who’s offered to commit some pretty indecent deeds (click at your own risk) on national television if Bitcoin fails to hit $500,000 in 3 years. There are also the anti-crypto “chicken littles” such as JPMorgan Chase CEO Jamie Dimon who has called BBitcoin “a fraud”and has said “It’s just not a real thing” before saying he would “fire in a second” JPMorgan trader’s caught trading cryptocurrencies because “It’s against our rules and they are stupid”.
What is Phishing?
Note: If you’re already familiar with phishing outside of the crypto space, I’d recommend you skip this section.
No matter where you stand on the craze, odds are you know someone who has some or even a significant amount of money in the cryptocurrency market. What you may not know of is the sheer amount of fraud in these markets (and not the kind that Jamie Dimon was talking about). Instead, I’m referring to phishing. In many ways, phishing in the cryptocurrency markets looks much like it used to. In other way it looks completely different and more dangerous.
What is Phishing?
Phishing is when a malicious entity or user disguises themselves as a trustworthy entity in order to obtain sensitive information such as usernames, passwords, and credit card details. You can think Nigerian prince scam, but it normally goes something more like this. You get an email from you’re bank asking you to reset your password, thinking nothing of it you click on a link, enter your banking information and your bank account is compromised.
How does Phishing happen in Cryptocurrency communities?
Phishing happens in a wide variety of ways in the cryptocurrency community. These methods include inducing users to send telegram dm’s containing private information, impersonating support for an exchange or ico, buying fake domain names, and even buying ads that link to phishing scams. Below are more detailed examples of what’s happening in the real world:
Slack/Telegram Direct Messages:
Many cryptocurrencies and exchanges have embraced telegram for community channels, support networks, and even pump and dump groups. While telegram is a great platform for communication, the sheer number of users and lack of administrative oversight, especially into direct messages, can lead to real problems. One of the biggest of these groups, Binance has over 39,000 members. To deal with the sheer load of users submitting support requests Binance has introduced an “ angel” program. It seems so far that the Binance team has done a decent job vetting these angels, but I’ve still heard stories of them abusing their status to perpetrate phishing scams. You can take a look at the application to become an angel and judge it’s rigor for yourself here. As you can see, it asks for some information but not nearly enough to properly vet these people.
Unfortunately, not being designated as an “angel” seems to have stopped no one from attempting to perpetrate these scams. Here is one angel who was caught phishing while I was writing this article:
Mitigation:
In this case, the user was quick witted enough to identify this as a scam, but not everyone was so lucky. During this time that I was in the chat looking at these scams, I saw at least 3 users desperately asking for their money back after being phished. In one particularly concerning case, a user seemed to have been scammed out of handing over $300,000 worth of USDT to one of these fake customer support angels.
Of course, there is no way to verify this users story, but based on what I’ve seen hundreds or thousands of people have been the victims of this type of scam. To limit this to Binance’s chat would be unfair. I’ve seen this happen across Bittrex, Bitfinex, and countless other official and unofficial telegram groups. While this is by no means exclusive to crypto currency telegram groups, the nature of the transactions, their irreversibility, and the sheer amounts of money involved (Over $750 billion market cap as of the writing of this article) crypto seems to be particularly vulnerable.
In addition to being one of the biggest hot beds for phishing scams, Binance has done a better job than most at mitigating phishing attacks. For instance, a bot frequently posts the following message:
They could certainly be doing more though. For instance, at sign in Binance should be warning users only to go through the support@binance.com address. Finally, especially in the case of Binance, they could shut down their telegram. Having their telegram linked from their website, no matter how many times they say not to giver personal information out will always give it an air of legitimacy. Obviously, Binance reaps some marketing benefit from the chat (and increased trade volume with rampant induction of Fear Uncertainty Doubt and Fear Of Missing Out), but this might be outweighed by the frequent scam reports by users who were misled by the telegram’s malicious users.
As I discussed in my last article, organizations need to start taking responsibility for phishing scams that happen on their watch, even if they don’t involve the organization directly.
Advertising Phishing:
Another common type of phishing in the crypto-community is phishing via advertising. Google, Facebook, and Twitter have done a great job of stopping this issue on larger sites over the last few years. The problem is the sites that serve the crypto community are still new. Some of these domain names, responsible for billions of dollars in volume per day are only a year or two old. Google is still training it’s algorithms on which pages are real and which aren’t. Like most other things, it’s been slow to keep up to crypto. For instance, below are some search results I found on reddit for “MyEtherWallet”: a popular client-side ethereum wallet.
Mitigation:
As you can see the first “Sponsored” link here is a phishing scam. On Reddit, I’ve seen reports of people losing tons of money across exchanges through this type of phishing. As usual:
- Always check the domain name first
- Be aware of any subtle design/functionality differences
- If you’re unsure, just don’t click
MyEtherWallet has done a great job educating consumers on the dangers associated with phishing scams on their home page. Here’s a screenshot of one of their slides educating users:
Other sites, such as Coinbase, Binance (which displays a more rudimentary, but still present warning), and Bittrex could definitely go a lot further to educate users. MyEtherWallet is setting the industry example here and I would hope other sites would follow.
ICO/Airdrop Social Engineering:
Mitigation:
You can use the tips above on mitigating advertising based phishing to prevent yourself from falling victim to this type of scam. Unfortunately there’s not a ton ICO’s can do here beyond carefully warning users and being proactive when they discover threats from members of their community. Finally, make sure you understand what an airdrop is before entering any information.
Takeaways
There are of course, other methods of phishing that are very common in crypto. Email Phishing, for instance, is extremely common in the cryptocurrency space. I decided to keep this articles scope to scams much more common in the crypto-verse than in wild phishing attacks. At PhishTrain we’ve noticed a dramatic uptick in these attacks targeting investors and taking hundreds of thousands of dollars and hope this article will help serve as a guide on protecting yourself, and in the case of Exchanges and ICO’s your investors.
Originally published at https://www.linkedin.com on January 13, 2018.
