In this article, fintech software development company Boosty Labs’ team discusses security issues and shares with you information about the tricks that scammers use in the hope of getting to your funds.
Today, the world is on the verge of a crisis that experts have long predicted, and along with the COVID-19 epidemic, one can only imagine what “fun” times lie ahead. Why exactly during a crisis is the activity of fraudsters the most intense? The answer is quite simple — it’s about money, psychology and human carelessness.
It’s not a secret for anyone that during a crisis, people’s cash flow decreases. Some are looking for a way to make money, trying to work harder, others — to profitably invest the remaining funds, and still others — to catch and extort money from the first two.
We will not discuss in this article various pyramid schemes and standard cases inherent in the conventional financial system. Unlike banks, cryptocurrencies allow you to be the direct owner of funds, like fiat money in your wallet, which means it is somewhat more difficult to steal them. By the way, this applies specifically to non-custodial wallets, where the user himself owns the keys and seed-phrase.
The only way for scammers to get to your hard-earned money is to lure you out of your wallet seed-phrase. Let’s take a look at the most popular scam tricks.
Fake service support
This method is the easiest to implement, because it is quite easy to create a user account in Telegram or another messenger, which will look identical to a group administrator account. Such a fake user has the same avatar, nickname, bio description, and even the same username, but with a slight difference.
How everything happens: the client of the service, faced with a difficulty or problem, writes to the general chat of the service. The fraudster answers the client in private messages under the guise of an administrator and supposedly to help. Under the guise of help, various kinds of “verifications”, “activations”, etc. he lures the user out of his seed-phrase or private key, then safely withdraws funds from the wallet. Also, scammers can offer various kinds of paid unique features, services, etc., which in fact do not exist.
Indeed, it is almost impossible to determine the authenticity of an account at a difficult moment under the influence of emotions. However, you need to remember that in services related to user funds, the administration will never write first, will not ask for a seed phrase or a private key, especially through open and public communication channels.
Projects of an effective support service can contact Boosty Labs for help – outsourcing company Projects interested in creating an effective support service can contact outsourcing company Boosty Labs for help.
Phishing is the most common type of fraud. Here all sorts of means are used, from SMS and email newsletters to social networks. The main goal is to lead the user to the duplicate site, so that he leaves his data there for authorization.
By contrast with fake service support, the entire website is copied, and only the domain name differs, but very slightly. The attacker uses the obtained data to access funds on the official website under your guise.
Modern technologies allow an attacker to find out not only the username and password, but also much more information:
– The full name of the victim;
– Phone number;
– E-mail address;
– 2FA code;
– IP (including geolocation);
– The browser the victim is using.
Such a set of information about the victim allows even the service itself (cryptocurrency exchanges, online wallets, etc.) and its support team to be deceived.
The most notorious cases of phishing in cryptocurrencies were associated with centralized services, however, the MEW wallet (myetherwallet.com), as well as the EtherDelta decentralized exchange (etherdelta.com), became preys to the fraudsters, when domain names were changed for these services. Therefore, carefully check the domain name of the service before entering your data for authorization.
Bonuses And Airdrops
It is during a crisis that people are most susceptible to a lack of financial resources, which means that the option to offer a bonus may work … And it works!
Free giveaways, bonuses, sudden winnings blur the eye and the user himself does not notice how he transfers his wallet seed-phrase or private key to the fraudster.
Viruses And Thief Apps
Using wallet applications is safer than online solutions, since you do not need to enter the website address in the browser every time. The application is installed once, the shortcut is always at hand and it is impossible to make a mistake.
Therefore, hackers have found another way to dupe the user — a script that quietly slumbers on your mobile device, PC or browser until it detects input (usually ctrl + c, ctrl + v) of wallet address’ data. At this moment, an algorithm is launched, which in the clipboard replaces the user’s address with “his own”.
Usually, such a substitution is not noticed — the addresses are long, consist of letters and numbers and are partially similar to each other (especially in Ethereum). In a hurry, an inattentive user sends his cryptocurrency to the scammer’s wallet without a second thought. The theft is discovered only some time later, when the transaction has already entered the network or even confirmed.
Since the cryptocurrency is decentralized, does not have a central governing body and its transactions are irreversible, it is too late to do anything in such situations. To counteract such programs, you must always check the addresses after insertion, regularly check your gadgets with anti-virus programs and, in general, carefully monitor digital hygiene.
The situation is worse when it comes to stealing seed phrases. The hidden thief app takes a screenshot when the user fills in the seed phrase input field. This snapshot is sent by the application to the hacker who introduced the “thief” into the user’s device. After The seed phrase has been compromised, the fraudster waits a moment and then does his job.
Crypto dust refers to the units of a particular cryptocurrency (satoshis, gweiz, etc.). The villains transfer them to the addresses of active wallets, and then track their movements. Neither Bitcoin nor Ether is a private cryptocurrency, i.e. their blockchains are like an open ledger — all transactions are available in blockchain explorers. This allows you to track absolutely all movements of coins and thereby obtain a digital footprint of the user — the information that can be used to identify him and gain access to his assets.
When a user is identified, phishing, brute-force, fraud or outright extortion are used.
Cryptojacking. Hidden mining
As such, direct theft of cryptocurrencies does not occur, however, using this method, hackers use the computing power of users (processors and video cards) to mine cryptocurrencies. This method is gradually fading away, as it becomes unprofitable due to the increasing complexity of cryptocurrency networks. Nevertheless, scammers still make money from this.
Cryptojacking can be implemented both as an imperceptible integration of the miner into the user’s operating system, and as a code embedded in the site that the user visits.
How To Protect Funds From Fraudsters?
We have presented the most common methods of stealing funds. As you can see, most of them are aimed at the inexperienced and inattentive users.
We recommend learning from other people’s mistakes, so be extremely careful and careful, take your time!
Follow a few simple rules:
– Make decisions when all possible materials and resources have been studied and there is complete confidence in your actions. This applies not only to wallets and exchanges, but also to participation in various bonus programs, airdrops, ICOs.
– Store assets in “cold” crypto wallets! Don’t keep them on stock exchanges. Leave in “hot” wallets only what you actively operate with or are not afraid to lose.
– Do not log in on unfamiliar devices. This applies not only to crypto wallets, but also to any other services and even social networks.
– Be a part of the crypto community. Read industry news, track software updates, and follow the announcements of companies, wallets and exchanges you use.
– Do not use the same password to access different services.
– Do not forget that there should be order in finances, reasonable care and cold-blooded calculation.