This is how investors protect their e-wallets
The crypto gold rush has lost none of its shine despite the course roller coaster. This not only attracts new investors, but also cyber criminals. An overview of the biggest security risks.
With the ups and downs of the crypto currencies, one trend remains constant: New investors are pouring into the crypto exchanges. Many are investing in a digital currency for the first time – and are not aware of the associated security risks.
In the darknet and in relevant forums, methods are repeatedly discussed to get hold of the digital coins. Here are the four most common attack vectors used by hackers, along with tips and recommendations on how to protect e-wallets.
Contents
Eavesdropping: reverse proxy phishing
Phishing is the Scam to intercept sensitive information and crack accounts. It is no different with crypto wallets. However, a special shape is used here. Reverse proxy phishing is a type of domain spoofing man-in-the-middle attack. Similar to eavesdropping in a spy film, attackers secretly eavesdrop on the traffic between two unsuspecting parties.
This method is popular because it allows cyber criminals to outsmart two-factor authentication (2FA). The authentication process is particularly effective in preventing third parties from hacking into someone else’s wallet using leaked or stolen login data. Reverse proxy phishing therefore takes a little detour. A phishing e-mail lures the owner of an e-wallet to a wrong page that looks very similar to the original page. The problem: the fake domain is hosted on a malicious reverse proxy server. This switches itself between the server of the victim and the server of the legitimate login page. Hence the name “Man in the Middle” (MitM). Once positioned, the reverse proxy server can observe the entire data traffic.
(Graphic: Digital Shadows)
Next, it gets the legitimate login page and loads a copy for the victim. Stolen SSL certificates ensure that the victim’s browser does not become suspicious. Unsuspecting, the owner logs into his e-wallet – as required by 2FA with both credentials. The malicious server gratefully accepts it, logs on to the legitimate login page and empties the e-wallet.
Once in between, the reverse proxy server is not so easy to shake off. 2FA with a security key (hardware token) can usually ward off such attacks. However, such tokens are rarely used.
The best defense against phishing: don’t click on suspicious emails and links! Even if you want it to be quick, it is worth taking a second look at the website and URL. Scammers are terrifyingly good at recreating legitimate sites. It is best to navigate to your e-wallet directly via the provider’s homepage – and never via e-mails or third-party websites.
Cryptojacking: Hijacked computing power
With cryptojacking, attackers target the processing power of a computer. The CPU is hijacked and used by botnets to mine cryptocurrency. The computers become infected via malicious links and turn into externally controlled zombies. The mining malware runs in the background and is sometimes not noticed for years – not even by antivirus software.
Web-based cryptojacking uses scripts that run on a website or domain. If you land on the infected host while surfing the web, mining takes place via the browser. In 2017, a Starbucks branch Wi-Fi network was hacked. Guests who went online via the free WiFi also mined cryptocurrencies on the side.
If you don’t lose money, is third-party mining a problem at all? Yes, because sooner or later the CPU performance of the computer deteriorates. The service life of the hardware components is also reduced.
There are signs of hidden mining. If the CPU usage of your computer increases rapidly, if it is louder than usual or if it starts extremely slowly, this may be due to cryptojacking. Browser plugins such as Adblock and Minerblock can protect against web-based cryptojacking. Otherwise, the same applies here: Stay away from suspicious-looking emails and be careful when using public WLAN.
Clipping: redirecting transactions
Clipping takes place from one e-wallet to another during the transaction. A backdoor Trojan is used to smuggle in a special type of malware, the cryptocurrency clipper, which is hidden in popular apps (such as a PDF reader), in mobile phone games and, more recently, in Covid-19 trackers.
As with bank transfers, a recipient or the wallet address must be specified in the form of a code for cryptocurrencies. When entering the data, many users use the copy & paste function for the sake of simplicity. Who wants to memorize rows of numbers for a long time and type them in by hand? This is what the clipper has been waiting for. He fetches the e-wallet address from the clipboard and replaces it with the attacker’s wallet address. When inserting it into the transfer form, the exchange is barely noticeable and the Bitcoin end up unhindered in the wrong hands.
Clipping attacks can be defused quite easily by double checking whether the copied wallet address corresponds to the pasted address during the transfer. If the address is available as a QR code, there is even no need to copy and paste. If you want to be on the safe side with large sums, you can initially only transfer a small amount and check whether the coins have arrived safely. Apps for smartphones repeatedly require access to the clipboard. Very few people justify this access request. Therefore, when downloading apps, go to the official app stores and critically question the user ratings there.
Dusting: Laying the scent and following
Dusting cryptocurrencies is a bit more complex. The crypto wallet is deanonymized. Tiny amounts of crypto dust are sent to a wallet to be tagged. Attackers can follow this trail, observe transactions and analyze the addresses on the blockchain. In the analog world, it would be like putting a tracker on a bill and then smuggling it into someone’s wallet. As soon as you pay with the marked bank note, you can find out your identity and e-wallet.
(Screenshot: Digital Shadows)
Successful dusting is often just the starting point for sophisticated spear phishing campaigns. Attackers can pretend to be real investors to trading platforms and crypto exchanges and request a new transfer of allegedly not received Bitcoin. Equipped with a wallet address and transaction number, the chances of success are significantly higher to get away with it.
The best way to prevent dusting attacks is to generate a new wallet address for each transaction. Some wallets also allow you to parse funds or mark smaller, suspicious deposits and block them for transactions. Or to stick with the comparison above: You avoid paying with banknotes that suddenly appear in your wallet. If the “dust” is not moved, it cannot be tracked. In general, investors should watch transactions closely. Wallet apps help to keep an overview and report even the smallest amounts.
Man-in-the-middle, hijacking, clipping and dusting – none of the techniques is really new. They were simply aimed at a new target. The more cryptocurrency becomes mainstream, the more lucrative attacks on digital wallets and cryptomining become. Investors have no choice but to keep up to date with current scams and attack techniques. Staying vigilant can be exhausting, but it’s still the safest way to go.
Rick Holland has worked as a threat intelligence analyst for over 15 years, including at Forrester Research and in the US Army. He is currently CISO & VP Strategy of Digital Shadows and Co-Chair of the SANS Cyber ​​Threat Intelligence Summit.
