Stay Vigilant, Stay Safe: Security Threats in Crypto Worth Keeping in Mind
At this very moment, there are roving blackhats who would love nothing more than to separate you from your crypto. Unfortunately, these rogues have no shortage of attack vectors to try their hands at. Here’s a list of vectors that have already proven their bite in the cryptoverse. Know them, and calibrate your online activities defensively in kind.
Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts
Hopefully it’s savviness when it comes to protecting your digital assets. Otherwise, you may become only the latest victim of the cryptoverse’s increasingly ambitious pirates.
The path to best practices starts with awareness, of course. So, for the newer or the more uninitiated in the space, let’s walk through some of the biggest threats to be abreast of, stat.
Command and Control Attacks
There are numerous advanced persistent threats (APTs) that can be and have been used to steal crypto, with command and control attacks not the least among them.
C&C attacks involve hackers sneaking malicious executable files into victims’ computers in order to scrape things like passwords, logins, IP addresses, and more. Such data can then be used to compromise exchange accounts, for example.
This vector is commonly committed amid spear phishing campaigns.
Insidiously simple and effective, keylogging, also known as keystroke capturing, involves the deployment of malware or even hardware that tracks all the keystrokes entered into a given device.
Again, the idea is collect passwords and credentials that can lead to wallet compromises, e.g. Keystore file passwords that some use to secure assets on MyEtherWallet and MyCrypto.
Similarly but through a different means, screen scraper software can be used to extract the pixels displayed on the screens of victims’ devices.
If there’s sensitive data up when a screen is scraped, that’s the attackers’ way in.
As BlockSafe CEO George Waller told Bitsonline back in July, the majority of APT attacks use a “malware cocktail” of coordinated screen scrapers, keyloggers, and C&C attacks.
A spate of SIM swaps have hit the space in 2018 — the attack vector involves malicious agents altering victims’ passwords to compromise phone numbers and emails that are used to access crypto exchange accounts.
The threat started to seriously gain attention in the space after a flurry of high-profile SIM swaps at some of this year’s earlier cryptocurrency conferences made the topic unavoidable.
In a related note, crypto entrepreneur Michael Terpin hit AT&T with a $224 million lawsuit in August, arguing that the telecom titan didn’t do enough to prevent his own expensive victimization at the hands of a SIM swapper.
The most high-profile example of a DNS hijack to date in the ecosystem came in April 2018 when popular Ethereum wallet provider MyEtherWallet was the victim of a regional DNS hijack attack.
In other words, victims thought they were using MEW, when they were actually temporarily using the attacker’s fake MEW.
Specifically, this threat involves hackers redirecting DNS servers to a bad domain so they can intercept as many private keys as possible.
Be sure to always check an URL’s SSL certification, as MEW now reminds its users as seen below.
Rogue And/Or Targeted Employees
A potential textbook example of a rogue employee wreaking havoc in crypto came back in April of this year, when Indian exchange Coinsecure accused its then-chief strategist officer of stealing 438 bitcoin from users.
It’s a reality that all centralized cryptocurrency exchanges face, insofar as they all simply provide highly-valuable, highly-concentrated targets. And it’s a reality that accordingly can’t be ignored by traders.
Moreover, even if they don’t go rogue, employees at such exchanges have increasingly become targets of phishing attacks. Sometimes these employees hold the “keys to the kingdom,” as it were, and this dynamic hasn’t been lost on hackers.
As the space is still fledgling, crypto exchanges are still far from perfect.
In many cases, this imperfection materializes in the form of negligence, i.e. platforms not going far enough to ensure security.
An incident that highlights this vector was the Coincheck hack in January 2018, wherein hackers were able to make off with more than $500 million USD in XEM at the time after the exchange was staking the XEM in a hot wallet without the use of multisignature keys. That means hackers only needed to compromise one key to crack that pot.
This is a more general threat, but a threat all the same: bad OpSec.
If you’re a hodler, talking about how much crypto you hold is a disastrous idea online. Making excessive amounts of personal identifying information easily accessible is a disastrous idea. Don’t make yourself a bigger target than you have to be.
If you were in the throes of an intense firefight, you wouldn’t stand up from cover and start wildly shaking your arms. Bad OpSec can prove to be much the same in cyberspace.
For those interested in superior OpSec, be sure to check out Casa engineer Jameson Lopp’s presentation from the Baltic Honey Badger 2018 Bitcoin conference, “Extreme OPSEC for the Modern Cypherpunk.”
— Jameson Lopp (@lopp) September 23, 2018
What’s your take? Any vectors I missed? Be sure to let us know in the comments section below.
Images via Pixabay, MEW