MetaCert’s 2019 open letter to crypto companies💌
In this post I share with you a simple but effective social engineering tactic used to gain entry to an exchange or wallet company, leading to a phishing attack across an entire community of unsuspecting traders and investors. I’ve also included some tips to help exchanges and wallets avoid this type of attack.
90% of data breaches start with phishing. So every time we read about a “hack” on an exchange or wallet, it’s likely that an employee fell for a phishing scam.
If crypto exchanges and wallets follow the advice contained in this article, fewer companies will be compromised and fewer investors and traders will lose crypto via phishing scams. Fewer cybersecurity issues in general will lead to more crypto in circulation, and fewer people leaving crypto thinking it’s all a scam. And I think everyone can agree that keeping crypto in the hands of its rightful owners can only be good for the entire ecosystem.
At MetaCert we work with a huge number of crypto companies around the world. We eradicated phishing on Slack in 2017, and in 2018 our security bot for Telegram was installed by over 1,000 crypto companies, currently protecting over 1 million community members. We have partnerships with numerous hardware wallets and exchanges for anti-phishing and anti-fraud. If you’re in crypto, you’re probably protected by MetaCert somewhere in the stack.
With so many people relying on our products all over the world, we’ve come to have a very strong global perspective on cybersecurity in the crypto ecosystem. If you have ever installed one of our tools please leave a comment and let us, and everyone else know how you benefited; I understand if only a few people leave comments here, as my Medium posts seem to attract comments via email, Twitter, Telegram and everything else aside from Medium. ✌️
Crypto wallets and exchanges need to look internally
While many crypto companies install tools to help protect their communities from phishing scams, many forget about their own management team and employees becoming the main attack vector. People are the weakest link in the chain — not their computers, storage facilities or network.
Meet our actors
😇 Adrian works for a crypto exchange called “BitGenius.” He is responsible for DevOps. Like most people, Adrian uses products and services from companies such as Apple, Facebook, Amazon, Twitter, GitHub, Gmail, Mailchimp, Medium… you get the picture.
😈 Vlad is a bad actor. He’s pretty good at “social engineering” — a technique used to persuade otherwise smart people into disclosing important personal information.
Update: January 4th 11:45am PST — Since writing this article, I noticed that Cisco has published its predictions for 2019 here in which it says:
Targeted Spear Phishing
Attackers are aware that the more information they obtain from the user, the better they can build a phishing attempt against the user. In the coming year…
Spear phishing is likely to rise on an all-time high. These are creepy tactics too, like lurking into your emails even your private ones.
Here’s what happens…
Vlad searches for his target. He uses LinkedIn to research employees that work at BitGenius. He favors Adrian as a target because he’s pretty active on social media where he talks about iPhone apps and how much he dislikes Microsoft — so he’s likely to be an Apple fanboy. This is good news because Vlad likes to use Apple phishing scams, and more importantly, he knows Adrian works in DevOps, so he probably has access to important systems at work.
Vlad creates a fake Apple Business website and a phishing email. He sends the email to Adrian. It looks legit. See below — this is actually a real phishing email.
Adrian is pretty vigilant about crypto related emails. But this is from Apple — so he opens the Learn more link and proceeds to sign into his Apple account. Or, what he thinks is his account.
When Adrian enters his information, the website throws him an error message — so he isn’t alerted to a possible attack.
On the other hand, Vlad now has Adrian’s username and password — for his Apple account. Phew, thankfully it wasn’t a password to important work systems or the company Mailchimp account. 😓
Uh oh, wait…
Vlad knows that there’s a strong chance Adrian uses the same credentials for multiple apps and systems. Most people use the same password because it’s inconvenient to create a unique password for over 100 websites and services.
Vlad proceeds to attempt to log into multiple products and services. And BOOM! His hunch was right. Adrian uses the same email address and password for Mailchimp AND important server access.
Vlad creates a copycat version of the BitGenius website — it looks identical and it only took a few minutes. The only difference between this and the real BitGenius website is that Vlad’s malicious version requires a private key from users to log in. Major phishing scam is now on standby.
Vlad signs into the BitGenius Mailchimp account — creates a new campaign and sends it to the company’s entire database of customers. Thanks to the company website Vlad knows who the right community manager or marketing person is. So he sends an amazing time sensitive offer to everyone from Janice — Head of Marketing.
BitGenius has over 150,000 customers, and with a special offer like this, it’s impossible for everyone to resist the temptation. So, they open the call to action link. But they’re not signing into BigGenius, they’re signing into the copycat phishing site. It’s a brand new scam, so it goes undetected by every security solution, except for Cryptonite. 225 people sign into the scam site, providing the private key to their wallet. 😲
Cryptonite users were protected from this specific attack because the shield on their browser toolbar remained black — it didn’t turn green as it would have for the legitimate BitGenius site.
But this post isn’t about traders and investors, and Cryptonite — it’s about crypto exchanges and wallets — I digress.
Vlad is ready and waiting. As soon as he receives the login credentials and private keys to 225 wallets, he empties every one of them. Some of their owners have put every penny of their savings into those wallets. So this means fewer kids going to college next year and possibly one or two divorces due to financial difficulties amongst the victims.
Crypto media outlets publish stories about GitGenius being “hacked.” The headline is wrong because the company wasn’t hacked and their platform isn’t weak. But that doesn’t matter — the damage has already been done.
This is a PR disaster for BitGenius, because now investors and traders lose trust in the company and it’s technology. Some of them leave altogether and never return. The fact is, the company and the technology are fine. Even if Vlad did more internal damage it still wouldn’t be accurate to call it a “hack” — hacking and phishing/social engineering are completely different.
- Hack = weak computer systems (software / hardware problem)
- Phishing/social engineering = weak processes and procedures (people problem)
Adrian’s single action led to an attack on 150k people. And this is something that could easily have been avoided.
How crypto wallets and exchanges can avoid this type of attack and avoid a PR nightmare
- Use a password manager such as 1Password. By using 1Password Adrian would have had unique passwords for everything, including Mailchimp. So, having his Apple credentials stolen wouldn’t have led to the attack. Vlad would have hit a roadblock — and he wouldn’t have been able to sign into Mailchimp or anything else. It’s likely he would have tried other employees before giving up and targeting another company.
- Installing Cryptonite would not have helped Adrian during this attack because the shield only turns green for crypto sites. BUT, this is going to change in the coming weeks — Cryptonite will turn green for financial, storage and other mainstream sites to protect everyone from phishing attacks. (Cryptonite would have protected everyone who received the phishing scam from Vlad however.) In a recent survey completed by more than 5,000 users, only 5% of Cryptonite users work for a crypto company — I’d like to see this number go up.
- Don’t use a phone number as a backup and recovery for anything.
- Enable 2FA for everything — by using an app such as 1Password for 2FA you make it much more time consuming and difficult for people like Vlad to do damage. 2FA would have made it more difficult to gain access to Mailchimp.
It’s impossible to be 100% safe from a cyber attack. It’s easier to attack than it is to defend. The goal is to make it time consuming and therefore more expensive for people like Vlad to attack you. Vlad will quickly turn his attention to a company with less protection.
Other areas of concern
There are many more attack vectors and many tools and techniques to combat them. I wanted to share a simple attack vector and a simple fix to address it, because it’s likely to be the most widely used attack vector on crypto companies.
I personally advise a number of crypto companies. My first request is to use 1Password for everything. The founding CEO of an exchange had his laptop stolen from a bag at a crypto conference in LA last year. He and I were both listed as speakers, so the bad actor likely targeted him specifically. But because he followed my advice the previous week, and moved everything to 1Password, he wasn’t one bit concerned — he was actually very relieved by the fact he had a unique password for absolutely everything and not just unique, but very long, random, complicated passwords.
👉 If you like this post please show me and the MetaCert team how much, but clapping — it’s a weird but wonderful way to show your appreciation. And don’t just clap once 🙏🤪
👉 You can also engage with our team and our community members on Telegram at t.me/metacert