This is the first article in a series on how to use safe practices when handling crypto currency, making transactions, 2FA confirmations etc.
SIM CLONE-2FA ATTACK
Never use the same login/password from your exchange account and your confirmation account. I.E. don’t use login: johndoe password:summer2018 for both your Coinbase/Binance account and your gmail account connected to the site. When hackers find back doors and hack logs, the first thing they do is to check if the same credentials are used for several different accounts on various media. Even your Facebook or Twitter should never have the same login/pw as your crypto exchange credentials.
2FA confirmations is a myth, there are several ways hackers can clone your sim card, or monitor your phone, in order to steal credentials. First there are telephone sniffers who are looking for messages sent to your phone. Next, hackers can very easily clone your sim. They can either do that physically or trick your telephone company to provide them with an extra sim card. Various stories flourished during summer 2018 when hackers went to different crypto conferences and spied on crypto whales in order to steal their credentials.
DNS ATTACK
Several well known crypto sites had their ISP re-route to a fake site like MyEtherWallet.com was rerouted to servers in Russia where users who logged into their account sent their private keys to hackers and were immediately stolen. MyEtherWallet.com uses Amazon’s Route 53 DNS service and the attackers used BGP to reroute traffic to Amazon’s Route 53 service.
There was a warning that showed to visitors saying that the TLS certificate used by the site was signed by an unknown authority. If you ignored the warning then you were among the 150.000USD lost in the hack. MyEtherWallet users who fell for this phishing scheme have no way of getting their funds back and could fall victim to possible subsequent scams.
Etherdelta.com , a DEX crypto exchange fell victim to the same type of attack. Hackers replaced the exchange’s website with a fake one designed to steal funds from users wallets. The daily turnover on the site was 11 mUSD but fell to 5mUSD after the attack.
CLIPPER ATTACK
Another well known crypto scam is clipper malware. The program installs itself in the background and uses a huge number of fake public keys in order to change them in your clipboard when using it to copy addresses. If your address is 1keychainx1292392742ads12asAc31 and you make a Bitcoin transaction, then usually that number doesn’t fit into the window and you will only be able to see the last 6–10digits. Let’s say you remember Ac31 as the last 4 digits, so far so good. What the clipper malware does, is it has millions of fake accounts stored in the background, and looks for any account this has the same last 4digits as you, so instead of sending it to 1keychainx1292392742ads12asAc31 the transaction is being made to address 1clipper12AA92392742ads122XAc31. It’s very easy to see why this attack works when people just check for the last character/letters in confirming the address. First week in February 2019 a clipper malware version of the popular Metamask plugin was spotted on the official Google Play store. After a tip off the plugin was taken down, but nobody knows how many people downloaded the fake app and lost their funds.
PHISHING SITES
On several occasions, users who entered phishing sites were unaware they were using a fake site.
myetherwallet.com -> myethereumwallet.com (Fake site spotted in 2018)
myetherwallet.com -> myetherwallet.com.im (Fake site spotted in 2017)
And so it goes on, always triple check the online site you’ve entered is the correct one. Even special characters are used, like ṭ instead of t (notice the dot below the character) or ạ instead of a. This has happened on many occasions, so beware of clicking on advertised sites or fake email confirmations.
Another common phishing attempt is binạnce.com instead of binance.com.
LESSON LEARNED
Don’t have the false impression that by adding 2FA security to your account your crypto is safe. If possible, add a password to your telephone service provider in case you need to contact them. (i.e. when you lose your sim). Never use same login credential for several critical sites. If one of them gets hacked (and they often do), hackers do try the same credentials on all known social media.
When accessing public crypto sites, may it be Coinbase or Binance, make sure the SSL certificate is valid.
Always check for misspelled characters or strange code in site address. When sending coins, ALWAYS check the FULL address in the receiver tab, not just the last couple of characters.
And never click on in-mail links or advertised sites. Always make sure you are using the official site or app.
To find out more about KeychainX Wallet recovery services check https://KeychainX.io or send an email to keychainx@protonmail.com