Year of the Phish? Socially-Engineered Attacks Populate Crypto in 2020 – Finance Magnates

When it comes to cryptocurrency-related crime, every year seems to have its own particular flavor. 2018 was the year of massive exchange hacks (remember Coincheck?); 2019 was seasoned with an air of massive ponzi schemes (PlusToken, OneCoin) with a few scandals thrown in the mix (QuadrigaCX, anyone?)

So far in 2020, however, the most memorable crypto-related criminal moments seem to be taking a new shape. As cryptocurrency exchanges have continued to beef up their security measures, and global regulators and law enforcement are learning how to curb crypto crime, criminals are increasingly attacking from a new angle: socially-engineered cyber attacks.

The Most Diverse Audience to Date at FMLS 2020 Where Finance Meets Innovation

Of course, these kinds of manipulative tactics have been a part of the cryptosphere since its inception: even outside of the cryptosphere, cyberattacks that exploit human trust are as old as time (or at least as old as the internet). Phishing, stolen identity scams, and many other kinds of exploitative scams are, unfortunately, very popular.

So far this year, socially-engineered attacks appear to be playing an outsized role in cryptos scam landscape. Is 2020 cryptos Year of the Phish?

After all, it certainly seems that the most memorable crypto-related cybercrime story of the year so far was based on multiple angles of trust exploitation.

On July 15th, the Twitter accounts of dozens of high-profile individuals across political and celebrity spheres tweeted out messages saying that they would double the amount of Bitcoin that was sent to their wallet addresses and send it back. This is called a Giveaway scam.

Dozens, or even hundreds, of unsuspecting users sent a total of more than $100,000 to the bitcoin addresses they believed to be associated with Barack Obama, Elon Musk, Joe Biden, and many others.

How did this happen?

Legend has it that a vampire cant enter your house unless they are invited inand, sure enough, when 17-year-old Graham Ivan Clark was able to access and post from the Twitter accounts in questoin, it was because an unsuspecting Twitter employee accidentally handed him the keys to the kingdom.

Indeed, Clarks attack was designed to manipulate and exploit human trust from beginning to end: he reportedly used phishing email tactics to convince a Twitter employee that he was a coworker in the companys IT department. He then got the employee to provide their credentials, allowing him to access Twitters God mode.

However, Graham Ivan Clarks attack on Twitterwhile it may be the most famous crypto-related cyberattack this yearis only one of many socially-engineered cyberattacks in the crypto space.

In fact, just this week, attacks that closely resembled Clarks attack on Twitter have rocked the world of Youtube.

Specifically, hackers appear to systematically be taking over prominent Youtube channels. They hackers then change the names of the channels, and then post videos urging viewers to send Bitcoin with the same promise that Clark offered victims on Twitter: that their coins would be doubled and sent back to them.

Business Insider reported that unlike the Twitter scams, the exploited Youtube accounts dont appear to have been compromised through a widespread security breach of Youtubes internal operations. Rather, hackers appear to have only gotten ahold of the credentials for the specific accounts theyre interested in hacking.

The hackers also appeared to take advantage of the SpaceX landing that occurred last week as a means of getting more clicks on their videos: the names of the compromised channels were changed to terms like SpaceX or Elon Musk to exploit the increased interest in SpaceXs collaboration with NASA.

Esports commentator Rod Breslau also pointed out that some of the channels livestreamed Bitcoin scam videos may have used viewbotsbots that artificially inflate the number of views that a channel hasto heighten their visibility.

Youtubes crypto hack problem isnt just limited to last weeks events.

In mid-July, Finance Magnates reported that a number of Youtube accounts were co-opting the identities of a number of prominent figures within the cryptosphere to make the same kinds of fraudulent promises: send us your crypto, and well double it and send it back.

On July 12th, Charles Hoskinson, the founder of the Cardano (ADA) cryptocurrency network, posted publicly on Twitter about the scams: it has come to my attention that a scam has been floating around using my conference keynote to promote a giveawaythis is a scam. Please report it to YouTube. We will take legal action if we can against those responsible.

Around the same time, however, CoinDesk reported that a number of other fake videos and accounts had sprung up under the identities of Ethereum founder Vitalik Buterin, Gemini founders Tyler and Cameron Winklevoss, and others.

Other than removing reported videos, its still unclear what Youtube is doing to try and curb these scams. A Twitter user alleged that the fraudsters behind the fake Youtube videos are also putting [their videos] in youtube ads which is insane, he asked. Is youtube ignoring this for revenue? How are they not vetting the ads?

Finance Magnates reached out to Youtube, but didnt immediately receive a response. Comments will be added as they are received.

In addition to co-opting the identities of individuals within the cryptocurrency sphere, however, hackers also seem to be increasingly taking on the identities of platforms.

Specifically, blockchain trading and analytics firm Whale Alert published a study in July with findings that crypto scammers are increasingly building fake cryptocurrency exchanges.

Some of these fake exchanges may take on the appearance of existing, legitimate crypto exchanges, while others may set up shop on their own before disappearing with users funds. The fake exchanges are also a convenient way for hackers to rack up large amounts of users personal data: identity records, credit card numbers, bank account information, and more.

In its report, Whale Alert commented that the change in method and the increase in quality and scale suggests that entire professional teams are now behind some of the most successful of these fake exchanges, and that it is just a matter of time before they start using deepfakes, a technique that will surely revolutionize the scam market.

And indeed, on the whole, Whale Alert noted a trend in cryptocurrency fraud after the mid-July Twitter attack: the scale and the boldness of the attack confirm our fears that the scammers are becoming more professional and dangerous.

Specifically, what started with mostly bulk sent sextortion emails and malware has now evolved into fake enterprises offering round-the-clock customer support with dozens of websites and thousands of fake social media accounts used for promotion.

This apparent increase in professionally built, socially-engineered cyberattacks appears to also have dramatically increased the amount of money that hackers have managed to abscond with.

Indeed, Whale Alerts report found that scammers BTC income appears to have surged throughout the first six months of this year.

So far we have been able to confirm 38 million US dollar in bitcoin alone stolen by scammers over the past 4 years (excluding Ponzi schemes, which are a billion-dollar industry on their own), the report said, $24 million of which [were stolen] during the first 6 months of 2020.

At the moment, Whale Alert seems to believe that this will only get worse: by the end of 2020, we predict [the crypto scam market] will have grown over twenty-fold since 2017 to an annual revenue of at least 50 million US dollars.

Can anything be done to stop the growth of the cryptocurrency scam market?

It seems that yes, falling victim to these kinds of scams is certainly preventable: the social media platforms that are being used to spread these scams are certainly taking action.

Twitter, for example, told users that were accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams.

Other platformsincluding Youtubeappear to have taken an approach to quick response and removal of fraudulent cryptocurrency-related accounts and videos.

Additionally, regulators and law enforcement agencies around the world seem to be continuously learning and developing strategies for dealing with crypto-related fraud.

However, Whale Alert alleges that the primary responsibility of fraud prevention at the moment lies on the cryptocurrency community.

For example, while crypto giveaway scams may seem like they may only affect the most gullible among us, legitimate blockchain and cryptocurrency platforms often hold legitimate crypto giveaways.

Therefore, established blockchain companies play a big role in normalizing the idea of free money through giveaways and should be more thoughtful about what message they carry outwards and stop with these kinds of promotions altogether, Whale Alert argues.

Additionally, crypto companies should use their power and presence to effectively communicate the risks of the fraudulent crypto world to their users: as the gateway between fiat and cryptocurrencies, exchanges especially should be actively educating newcomers on the dangers in blockchain and prevent them from sending anything to known or suspected scam addresses.

Continue reading here:
Year of the Phish? Socially-Engineered Attacks Populate Crypto in 2020 - Finance Magnates