One of the greatest information security threats today comes in the form of social engineering, which is also called phishing. Generally, phishing (or social engineering) is an event in which a hacker who is pretending to be a trustworthy individual or business tricks someone into opening an email, text message, attachment, or link that contains malware. While technological advancements have served to all but eliminate certain hacks, phishing attacks continue to thrive.
To run a phishing attack, a hacker uses techniques that fall under the umbrella of social engineering, which boil down to developing a rapport with an internet user to gain their trust and get them to turn over valuable information about themselves and/or their financial accounts. Generally, the ultimate goal is to make the victim as much personal information as possible so that they can all but completely screw them over.
That’s the end game and today, scammers, criminals, and all sorts of similar parties are becoming more highly skilled at it by the day.
Social Engineering and the Cryptocurrency Space
Today, most social engineering attacks occur at a relatively large-scale, especially with regards to cryptocurrencies. Overall, they tend to be simple in their structure, but devastating in the eventual damage they cause.
From January to July 2020 alone, crypto users reportedly lost $24 million to such scams, across just about every possible social media platform.
Consider Youtube, for example.
This June, a single social engineering attack netted $2 million using Elon Musk as a false spokesperson. If you’re wondering how, just picture a video of Musk discussing Bitcoin with a caption below it asking viewers to send Bitcoin to a wallet address in exchange for double their initial deposit in return. As an added trick, the attackers even personalized the wallet addresses involved to include “Musk” and “ELonMUsk.”
After another similar attack that used an old video of Michael Dell, one victim alleged that she and others believed the video was live, which is why they sent Bitcoin to the attackers’ wallet address. Of course, as in all similar cases, those affected received nothing in return, which has been the case throughout the history of these attacks. Today, Youtube-based scams with the same exact structure continue to occur and to make matters worse, Youtube’s not the only place that social engineering scammers have infiltrated in this manner.
Twitter’s been penetrated as well, most recently in July, when numerous verified accounts including United States presidential candidate Joe Biden’s, former US president Barack Obama’s, and Elon Musk’s, began to ask for people to send Bitcoin to a specific wallet address in exchange for double the amount back. In doing so, they also exploited people’s need for money during the chaos of Covid-19.
In the image below, you can see an example of one of the posts involved, specifically from Barack Obama’s account.
All in all, with the above in mind, it’s easy to see how these hacks work.
Basically, the hackers involved understand that famous people do give away money on Twitter, with some doing so frequently. Furthermore, when they do, they often make it a sort of contest and put a time limit on entries.
Therefore, despite the fact that such a hack would seem to be easy to poke holes into, it was fairly successful, garnering over $120,000 in a matter of minutes. While no major Twitter attacks of a similar nature seem to have occurred since then, it would be reasonable to suppose that it’s only a matter of time before another one comes to light.
On top of Youtube and Twitter-based scams, email-based phishing attacks continue to thrive, with perhaps the most popular example involving a hacker impersonating an employee of a service that the email account’s user is a member of. Under the guise of being someone like a trustworthy customer support agent, they begin to ask for any personal information they can get including usernames, passwords, and in the case of cryptocurrency-focused efforts, private keys. If you’re already familiar with the concept of a private key, then you know it’s like the password to your bank account. So, when someone else gets it, they then have access to your crypto in the wallet involved.
To date, email-based cryptocurrency scams have evolved into fake warnings that your information has been exposed in a data leak or even false blackmail claims that pretend to have sensitive information about you. In all cases, however, the goal is the same. The attackers involved want you to either answer as many questions about your identity as possible or click on a link that gives them remote access to your computer, or both.
Another and possibly even more dangerous phishing attack is the simplest of all of the above. Imagine that a group of hackers create an almost perfect replica of a well-known cryptocurrency website with only a few minor differences, usually in the site’s URL. With that replica, they siphon-off information from everyone who clicks on the link, usually through remote-access malware. In other words, once you click on the link involved, your computer’s no longer yours. This is called a “spoofing attack” and in one particular case, hackers were able to spoof several cryptocurrency exchanges to the tune of $17 million. Like Youtube and Twitter-based attacks, the success of a “spoofed website” often depends on how many users it can get to send their crypto to a malicious wallet.
Numerous other examples exist in which platforms have been penetrated by crypto-focused hackers. Despite all of this, however, through following the practices outlined below, you’ll be ready for any sort of phishing attack that you come across.
How to Be Ready for Any Sort of Phishing Attack
Generally, there are four rules to follow to help you armor yourself against all sorts of social-engineering(phishing scams):
- Never give away your username. We, at NBX, will never ask for that, and neither would any other sort of serious vendor or service provider across all sorts of contexts.
- Your password is yours and yours alone. Keep it a secret from everyone, with no exceptions. That means that literally no one should have access to it because anyone else with knowledge of your password is a potential leak for a social engineering scammer to exploit. As previously stated, the same goes for the private key to your cryptocurrency wallet!
- Consider two-factor authentication(2FA) as your extra layer of defense. Anytime you are given the chance to use 2FA, do so. At NBX, we require 2FA for all user accounts and it’s as easy to set-up as a few clicks.
- In the case of a spoofed website, you can usually tell the difference between it and the original by looking at its URL and comparing it to, for example, that which the real firm has posted on their blog. Trezor and many other crypto firms do an excellent job of making sure that their users always have access to accurate links to their sites through such means. To prevent a spoofing attack, you should also keep in mind that if the little lock symbol with the https certificate information is missing from a website, you should treat that as a serious red flag. This is because that certificate clarifies that all of the data which is sent to the site in question is being kept as private as possible. In our case, if you always remember: https://nbx.com and always look for the lock symbol next to the URL, then you’ll always be in the right place. Even so, none of this is effective alone without a critical eye. Sometimes the difference between a spoofed website and a real one is as small as one period in the wrong place.
5. Last but not least, another way to get access to your secrets and accounts is by tricking you into installing some sort of remote access software. What that means is that once you install software that a hacker gives you, under the guise of a trustworthy agent, they can access your computer without being physically close to you and do all sorts of harm to you. Consequently, it’s important to remember that any software with remote access permissions should be avoided.
Where we come in: our commitment to education
Stick with us and you’ll always be on the forefront of crypto-security best practices. This includes access to a consistently evolving library of content on the subject of securing yourself against scams, as well as just about any other industry topic you can think of. On top of this, we’re always open to your ideas. If you think a topic should be covered and it isn’t, reach out to us any time here, on Twitter, or at firstname.lastname@example.org.
In our next post in this series, we’ll dive into our specific security practices which, together with our commitment to education, encompasses our two-pronged approach to providing you with the best-in class security at all times. Before that, however, you can look forward to an update on the case for Bitcoin as a safe haven, which has been rapidly developing over the past few weeks.