Tuesday, July 17th 2018

Kaspersky Labs Warns Against Cryptocurrency Social Engineering Schemes

The cryptocurrency phenomenon and the growth of a keen audience of cryptocurrency owners was never going to go unnoticed by cyber-criminals. To achieve their nefarious goals they typically use classical phishing techniques, however these often go beyond the 'ordinary' scenarios we have become familiar with. By drawing inspiration from ICO (initial coin offering) investments and the free distribution of crypto coins, cyber criminals have been able to profit from both avid cryptocurrency owners and rookies alike.

Some of the most popular targets are ICO investors, who seek to invest their money in start-ups in the hope of gaining a profit in the future. For this group of people, cyber-criminals create fake web pages that simulate the sites of official ICO projects, or try to gain access to their contacts so they can send a phishing email with the number of an e-wallet for investors to send their cryptocurrency to. The most successful attacks use well-known ICO projects. For example, by exploiting the Switcheo ICO using a proposal for the free distribution of coins, criminals stole more than $25,000 worth of cryptocurrency after spreading the link through a fake Twitter account.
Another example is the creation of phishing sites for the OmaseGo ICO project, which enabled scammers to earn more than $1.1m worth of the cryptocurrency. Of equally great interest among criminals were rumors surrounding the Telegram ICO, which resulted in the creation of hundreds of fake sites that were collecting "investments".

Another sought-after trend involves cryptocurrency giveaway scams. The method of choice involves requesting that victims send a small amount of cryptocurrency, in exchange for a much larger payout of the same currency in the future. Criminals have even used the social media accounts of well-known individuals, such as business magnate Elon Musk and the founder of Telegram messenger Pavel Durov. By creating fake accounts or replying to tweets from legitimate users through fake accounts, criminals are able to confuse Twitter users into falling for the scam by clicking on replies from fraudulent accounts.

According to Kaspersky Lab's rather rough estimates, criminals managed to earn more than 21,000 ETH (The Ether cryptocurrency, which uses blockchain generated by the Ethereum platform) or over $10m at the current exchange rate using the above described schemes over the past year. This sum doesn't even take into account classic phishing attacks or examples involving the generation of individual addresses for each victim.
"The results of our research show that cyber-criminals are adept at keeping up to date and developing their resources to achieve the best possible results in cryptocurrency phishing. These new fraud schemes are based on simple social engineering methods, but stand out from common phishing attacks because they help criminals make millions of dollars. The success criminals have enjoyed suggests that they know how to exploit the human factor, which has always been one of the weakest links in cybersecurity, to capitalize on user behaviors."

Nadezhda Demidova, Lead web content analyst, Kaspersky Lab.
To protect their cryptocurrencies, Kaspersky Lab researchers advise users to follow a few simple rules:
  • Remember that there is no such thing as a free lunch and treat offers that seem too tempting to be true with skepticism.
  • Check official sources for information regarding the free distribution of cryptocurrencies. For example, if you see information about the distribution of coins on behalf of the recently hacked Binance blockchain ecosystem, go to the official source and clarify this information.
  • Check if any third-parties are linked to the wallet transaction to which you plan to transfer your savings. One way of doing this is through block chain browsers such as etherscan.io or blockchain.info, which allow users to view detailed information about any cryptocurrency transaction and identify if the particular wallet may be dangerous.
  • Always check the hyperlink addresses and data in the browser address bar. It should be, for example, "blockchain.info', not "blackchaen.info".
  • Save the address of your e-wallet in a tab and access it from there - in order to avoid making a mistake in the address bar and accidentally going to the phishing site instead.
Source: Kasperksy Labs
Add your own comment

13 Comments on Kaspersky Labs Warns Against Cryptocurrency Social Engineering Schemes

#1
Vya Domus
Cryptocurrencies can't be defended well against abuse and fraud and I would go as far as to say that this is by design. Everytime someone makes money out of thin air a question mark needs to pop up in your head.
Posted on Reply
#2
R-T-B
Vya Domus
Cryptocurrencies can't be defended well against abuse and fraud and I would go as far as to say that this is by design.
Similar to cash transactions yeah. Most hard cash suffers from the same type of social engineering attacks, frankly. It's not a technical issue as much as a human education one.
Posted on Reply
#3
Vya Domus
R-T-B
Similar to cash transactions yeah. Most hard cash suffers from the same type of social engineering attacks, frankly. It's not a technical issue as much as a human education one.
I have to disagree , with crypto if you get scammed or your money is outright stolen you are undoubtedly screwed with no chance to get anything back from anyone , there is nothing in the way of safety. You can educate people all you want but you need tools to protect them and that has everything to do with technical aspects.
Posted on Reply
#4
R-T-B
Vya Domus
I have to disagree , with crypto if you get scammed or your money is outright stolen you are undoubtedly screwed with no chance to get anything back from anyone , there is nothing in the way of safety.
I mean, both are equally reportable to the police, with about equal odds of recovery... nill.
Vya Domus
You can educate people all you want but you need tools to protect them and that has everything to do with technical aspects.
What tools can protect you from social engineering scams? There aren't any. There is ONLY education.
Posted on Reply
#5
Vya Domus
R-T-B
with about equal odds of recovery... nill.
Not true , people are busted for scams all the time , you can say most get away with it and that would be fair but certainly not all as you imply. One thing is certain though , the chance to get anything back with crypto is definitely null.
Posted on Reply
#6
enxo218
if cryptocurrency were standardised security measures can be applied, perhaps an owner unique identifier could be attached to the currency this could limit fraudulent behaviour and thievery. The issue will always be the open market and free money, at this point dealing with the symptoms of the disease will not cure it
Posted on Reply
#8
dorsetknob
"YOUR RMA REQUEST IS CON-REFUSED"
moproblems99
A fool and his (or her) money....
A Fool has no Money ( they have been parted from it)
Posted on Reply
#9
R-T-B
Vya Domus
Not true , people are busted for scams all the time , you can say most get away with it and that would be fair but certainly not all as you imply. One thing is certain though , the chance to get anything back with crypto is definitely null.
Nope, not null. Some people (mostly big players) did get payouts from Mt. Gox, afterall. And Mt. Gox was certainly busted. Similar stories in crypto scams exist, infrequently like cash but they are there.

I stand by my statement. You have a chance of recovery in both. It is simply piss poor, and for the exact same reasons.
Posted on Reply
#10
2big2fail
R-T-B
What tools can protect you from social engineering scams? There aren't any. There is ONLY education.
That is explicitly not true. Whenever you engage in transactions with fiat currency, the parties to the transaction are subject to the commerce regulations of the country's currency. Therefore, both civil and criminal recourse exist for the aggrieved party in addition to any enforcement derived from a judgement on behalf of the aggrieved party.
Posted on Reply
#11
R-T-B
2big2fail
That is explicitly not true. Whenever you engage in transactions with fiat currency, the parties to the transaction are subject to the commerce regulations of the country's currency. Therefore, both civil and criminal recourse exist for the aggrieved party in addition to any enforcement derived from a judgement on behalf of the aggrieved party.
Stealing crypto is still criminal. It's usually covered under digital commerce laws. Crypto thefts have been investigated and are reported regularly. Heck, it's happened enough that some has even been historically recovered.

Regardless, you are ignoring the point. The point is that only education acts as a preventative measure. Recourse has nothing to do with it. Prevention implies it never happened to begin with. Only education can get you there, for both cash and crypto.
Posted on Reply
#12
toilet pepper
Vya Domus
I have to disagree , with crypto if you get scammed or your money is outright stolen you are undoubtedly screwed with no chance to get anything back from anyone , there is nothing in the way of safety. You can educate people all you want but you need tools to protect them and that has everything to do with technical aspects.
I remember a Nigerian prince requesting that you send him money via western union or moneygram.
Posted on Reply
#13
Rakly3
That's a lot better than fiat fraud. About 1000 safer (I pulled that number out of my ass)
Barely a blip in comparison.
Posted on Reply
Add your own comment