Cryptocurrencies are gaining popularity as well as gaining clout and credibility as functions of value (whether it is a store of value or to transfer value etc). This is especially evident in the increased attempts of bad actors to steal cryptocurrency. One of the most common ways to steal small and large sums of cryptocurrency was through cryptocurrency phishing attempts.
In this post, I will explain:
- What is phishing?
- Why does phishing work?
- Different examples of phishing
What Is Phishing?
Phishing is the process whereby a malicious person will attempt to provoke you to volunteer sensitive information. The attacker masquerades as an official or reputable company, organization, or person via convincing, but fake communications. They usually will deceive the recipient with an alternate yet highly similar email, website, or social media account to the entity they are impersonating. They will make a request or appeal to you, directing you to a malicious link, or asking you to reply to the email where they will ask for a login, personal, or account information compromising you. Then, once they have your information they will utilize it to steal your money, cryptocurrency and/or hack your email/social media accounts.
It is so called “phishing” because, rather than actively hacking and trying to bypass computer and program defences, which often requires time and a specific technical skill set, a malicious actor can instead use less time and put out “bait”, sending it out en masse and hoping for a few bites. A bad analogy is instead of scuba diving to try to harpoon elusive fish, some with defence mechanisms, you might go out on a boat and set up 50 fishing rods with bait and wait for some fish to bite, then reel in the catch!
Why Does Phishing Work?
Phishing works because human brains are, in a simplified way, algorithms that are developed to react in order to help serve our basic human needs. There are amazing psychology books out there that explain all of this, but I won’t get into that now. It boils down to the fact that our minds are quite fallible, and, predictable given the right stimulus/cue.
Basically, there are two components to successful phishing. The first is a passive mind trick, circumventing our cognitive defences and tricking us into believing our scammer/phisher is who they say they are. Second, is an appeal to human emotions. Typically scammers will target greed, fear, or pity/empathy as they tend to be our strongest emotions (and conversely our greatest vulnerabilities).
First, the passive mind tricks that lull us into believing the identity/source of our attacker… our brain works to make our lives easier. It is able to read different peoples handwriting, or vastly different type-fonts because it recognizes the basic structure and pattern of letters, words and sentences. Moreover, our brains put the works/sentences it reads into context as well. Our brains prefer “cognitive ease” (system 1) over cognitive effort and will take the path of least resistance every time unless you are being diligent and engaging system 2 (if you are familiar with Daniel Kahneman’s book “Thinking Fast and Slow”), which is basically being aware of what you are thinking and reading and actively focussing and concentrating.
Briefly, check out the “mind tricks” below:
“Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihng is taht the frist and lsat ltteers be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.”
Despite the words with letters in incorrect order, we can still read the paragraph above.
Depending on the context, the middle characters in figure 1 (above) can be interpreted as the letter “B” or the number “13”.
Did you catch the error in the above triangle? If not, go back and take another look. Then read the figure below quickly!!
A little aggressive and inappropriate, but understand how your mind can quickly read what it thinks or wants to see/read?
Moving forward, an attacker will disguise themselves by masquerading as a trusted entity. It will be tough to spot the hacker. It’s usually not at this point in the phishing attempt that you notice something is fishy (pun intended). They may steal the logo of a company (i.e. PayPal) and have a very, very similar email address. However, if you look closely at the email you will notice that there is a letter or number or single character difference that, while seemingly inconsequential, makes all the difference as to where the email is coming from. Check out the image below to see what I mean.
As you can see from the image, the email is convincing. It appears to be from a well known reputable source, PayPal. It is displaying the PayPal logo and is written professionally. If you look carefully at the email though, you can see that there is a very small error, “email@example.com”. There is an “i” in there that misspells the word. Moreover, a more careful observer would have a red flag up at the “@outlook.com”, usually large corporations will have their own email service that is “@paypal.com” or “@CORPORATIONX.com” etc.
You can see that if you do not look carefully it can be exceedingly easy to be fooled. With a subtle change of a letter, word or minor alteration to a logo our brains can be easily fooled.
Phishing: Preying On Our Emotions/Reactionary Thinking
That brings us to the second component/trick on phishing attempts: appeal to human emotions. As humans, we like to pride ourselves in our ability to think rationally and critically. However, the reality is that our brains can easily be tricked, as we discovered above. I mentioned a book earlier, “Thinking Fast and Slow” (Daniel Kahneman), and in this book, Kahneman discusses the concept that our brain has two “systems” of thinking. System 1 is the fast, reactionary system that we rely on quite heavily. It is the one that produces stereotyped and prejudiced thoughts and actions (that are essential to everyday function and the overall survival of the human species). While system 2 is the slow, critical thinking system that employs effort, energy and concentration, thus making it virtually impossible to use for every single daily task (yet also essential for the advancement of each individual and human civilization as a whole).
Phishing takes advantage of system 1, again.
You’ll typically get an email or message that inspires some emotion, typically greed, stress, or fear. Humans seem to have the strongest reactions to greed, stress and fear, which is probably why it is such an effective phishing technique. There is also an implied sense of urgency for a response with some simple action for you to take. These two things activate system 1 in our brain, to react quickly to either avoid a bad outcome or chase a too-good-to-be-true outcome and to do it quickly.
A common method employed is to notify you of some suspicious activity on your account from a reputable company/organization, or to notify you of some overdue bill/charge. If they are notifying you of suspicious activity on your account, it appears as though they are protecting you, not scamming you, which makes your mind subconsciously think that this is a warning message for your benefit and that if you do not act now your account and thus your money or private data may be compromised/stolen. That is a strong motivator to fix the issue immediately. Therefore, people act without double and triple checking the sender of the email or even to stop and think if the sender has a good case. You’d be surprised, some phishers will send an email en mass that your account with CitiGroup Bank has “suspicious activity”, meanwhile you do not even have an account with CitiGroup. Nevertheless, there is a percentage of people who will click the link sent to them.
In the example above, someone is using LinkedIn as a medium to send messages from a fake Wells Fargo account. It is harder to tell it is from a fake sender here. But the message inspires anxiety, who would want their Wells Fargo account to be compromised? They cleverly leave the solution to your predicament in a link right in the message.
The link above leads to the page (image) below. Here you will fill in your credentials, thinking that you are protecting your account. Meanwhile you’re handing over your account information and credentials… (in fact your very identity in this case – Social Insurance Number? That’s gold to criminals!) for the hackers to do whatever they please with.
If you fill in the information asked for above then you will have fallen prey to a phishing attempt.
Emails about account compromise are just one example of phishing scams. Criminals can become very, very creative. You must have multiple layers of protection on your sensitive information.
Different Types Of Phishing
There are so many different types of phishing that it would be difficult for me to list them all. But the jist is the same, as I described above. Some common types of phishing are:
- Email phishing:
- Tech support from your company
- Account protection/suspicious activity notices
- CEO fraud (attempting to steal the login credentials of the CEO or other executives of a large organization/corporation).
- Tax fraud – typically a fake organization masquerading as the IRS (USA) or CRA (Canada) or whatever tax agency exists in your country claiming that you have unpaid taxes and will be subject to arrest if receipt of payment is not received immediately or within an exceedingly short time frame (this was done with Bitcoin in Ontario Canada in 2018).
- Social Media phishing
- Fake Facebook, Instagram, LinkedIn, Twitter, YouTube, etc accounts of someone popular/influential or important who ask you to do something or send them some information or money/cryptocurrency.
- Domain Phishing
- Domain names are words/phrases that are assigned to a numeric code for a website/hosting service. The “web address”/domain when typed correctly leads you to the official website of that domain. However, clever scammers can and do misdirect and funnel you towards their malicious websites with convincing UI (user interface) that resembles that of the site you intended to visit.
- Or very mild modifications of a domain name that is mistyped or misread for the real/original website, landing you on a phishing page.
- Ad Phishing
- A scammer spends a little money to place ads that are disguised as legitimate entities, but link you to a deceiving URL/website that asks for your credentials and/or money.
- Phone call phishing. An older less common type of phishing nowadays, but people receive calls or voicemail messages that incite an urgent need to fulfil an action (such as paying unpaid taxes or automotive fines or to correct allegations of insurance fraud etc), typically asking for your credit card number or Social Security Number/Social Insurance Number, etc.
Given that Markshire Crypto is dedicated to the topic of Cryptocurrency/cryptoassets I want to delve into Cryptocurrency specific phishing attempts/scams.
Cryptocurrency Phishing Attempts
As mentioned at the beginning of this article, cryptocurrencies have real-life monetary value, and one of the earliest signs to support this notion is that criminals want to steal it. And they get creative at stealing indeed. In the grand scheme of things, there has been billions of dollars worth of cryptocurrency stolen over the last decade. It would be impossible/unrealistic for me to go through all of those scams (and who would want to read all of that either?). Below are some of the more common cryptocurrency phishing attempts:
- My Ether Wallet
- Fake Twitter Accounts
- Vitalik Non-Giver-Of-Eth Buterin
- Forum attacks
- Fake Ads
- Phishy wallets
My Ether Wallet – Some of the most popular cryptocurrencies phishing scams were associated with the cryptocurrency Ethereum. The well-known website My Ether Wallet, which is also an online hot wallet for Ether and other ERC-20 tokens, was a hot target for phishing scammers. The scammers would have multiple attack methods. One was an email scam, phishing attackers would gain access to the My Ether Wallet email database and send out a phishing email.
If you pay close attention you’d notice that the URL in the email is myehterwallet.com, not myetherwallet.com. Another misspell that was commonly used was myetherwaliet.com. This would obviously lead you to a different website that looked almost identical to the myetherwallet.com legitimate website.
Fake Twitter Accounts – in this online information age influential people can interact on a second to second basis due to live social media. This is highly useful and potentially dangerous for the crowds, who may not know who to trust. In the cryptocurrency space, there are many fake social media accounts that impersonate an influential, reputable and trusted person/organization.
Vitalik Buterin, one of the main co-founders of Ethereum, had to change his Twitter handle to “Vitalik Non-giver of Ether” @VitalikButerin because so many scammers were impersonating his Twitter asking the masses for small ETH donations.
Another twitter scam was a bad actor impersonating the organization Changelly, a highly reputable direct crypto exchange. They have and maintain a great reputation, and because of this they were obviously targetted.
Forum attacks – there are various forums and communities that have cryptocurrency subgroups or chats. Especially in the early days when there were not a lot of resources available, these forums were where early enthusiasts and investors were able to discuss topics and learn about crypto. It was an easy early target for scammers as well. They would simply make a forum post providing some information or making an announcement about a token or ICO or update that would require some quick action on the part of the reader (you). Then the unsuspecting victim would click on a phishing link.
Fake Ads – Very similar to the fake Forum posts. A scammer will invest a small to a medium sum of money to create an ad on the google search results page that would mimic a reputable source. Obviously, it would consist of a phishing link, taking you to a similar but different crypto site and steal your credentials/account info or directly steal crypto by asking you to send to a specific address.
Phishy wallets – With the masses becoming more aware of cryptocurrency exchange hacks and wanting to hold their private keys, people are looking for safe, secure and legitimate wallets to store their crypto. Scammers take advantage of this by developing fake wallets, unbeknownst to the user. The average Joe would sign up for the wallet, deposit their cryptocurrency into it, and then the next day the wallet would be empty. Obviously, the scammers would have access to everyone’s wallet and simply send it to their own wallets.
Always google around for reviews of safe and secure wallets. If you cannot find multiple consistent reviews, ideally from reputable sources, then do NOT trust that wallet. Cryptocurrency is a bearer investment, so if you lose your private keys then you lose your investment.
The Conclusion of Cryptocurrency Phishing Attempts
Cryptocurrency is valuable. We know that from the fact that people try to steal it. Cryptocurrency, while popular and becoming more well known and accepted, is still at minuscule market capitalization. The whole Cryptomarket is less than $150 Billion USD (end of December 2018), roughly the net worth of Jeff Bezos (one person). It is my opinion that the cryptocurrency/cryptoasset capitalization will be one of the largest markets in existence known to mankind within the next 5-20 years. The scammers are just getting warmed up. YOU have to protect yourself. Don’t be ignorant or complacent. This is YOUR money, your assets and thus your freedom. Take control of it.