Dublin Information Sec: Protect your firm from 'Gold Rush' cryptocurrency scammers


James Chappell

Target: Credentials for online exchanges and trading platforms are stolen and sold on criminal forums
Target: Credentials for online exchanges and trading platforms are stolen and sold on criminal forums

At the height of the California Gold Rush in the 1840s and 50s, fraudsters devised various methods to deceive individuals hoping to strike it rich, including selling synthetic gold deposits or fake mines of no real value.

These days cybercriminals are defrauding those working with cryptocurrencies through account takeovers, mining fraud and scams against initial coin offerings (ICOs).

When individuals want to purchase and trade cryptocurrency, they create online accounts and wallets on exchanges and trading platforms.

Cybercriminals steal credentials for these sites through phishing emails and scam pages, before selling access to these accounts on criminal forums and paste sites. Credential stuffing tools, which automatically inject large lists of username and password combinations into login pages until a match is found, are also widely used to break into trading platforms and exchanges directly.

The recent controversy over John McAfee's claims that his BitFi cryptocurrency wallet is completely secure is an excellent example of how researchers are trying to discourage users from being overconfident. 'Unhackable' wallets is a claim made by many storage platforms that have found out to their cost that nothing is ever perfectly secure.

For organisations, particularly, your infrastructure is also at risk as it can be commandeered by cybercriminals looking to 'mine' coins themselves.

Mining is the process by which users validate cryptocurrency transactions, and miners receive digital coins as a reward for performing this activity.

This is an example of a Proof of Work model. With this incentive, attackers can infect and co-opt your computer into a botnet.

Alternatively, they can hijack your browser and processing power to mine (known as cryptojacking). Cloud services such as Amazon WorkSpaces (AWS) are particularly attractive, and attackers will take advantage of unauthenticated AWS instances or those with weak or leaked credentials.

Looking to the future, many cryptocurrencies such as Ethereum are moving towards a Proof of Stake or Proof of Value model, which looks at the amount of coins and age of the stake in order to validate transactions.

As these models are far less resource intensive, this will make the theft of computing resources for mining far less attractive, which will likely orient criminals back to targeting individual accounts, wallets and platforms directly.

Those looking to launch or invest in new cryptocurrencies should also be wary of ICO scams.

ICOs are a means of crowdfunding cryptocurrencies, but there have been countless examples where criminals have diverted investments by swapping the address into which payments are made for one controlled by the attacker.

Fraudsters will even create entirely fictitious cryptocurrencies and perform exit scams. Some use social media groups - known as 'pump and dump' channels - on platforms such as Telegram and Discord to spread news and inflate the price of lesser-known coins and make a profit.

There are several drivers behind the rise in cryptocurrency fraud. These include:

■ Accessibility - Advances in technology and the wide availability of tools facilitate this type of fraud, often lowering the barrier of entry for less sophisticated cybercriminals.

■ Anonymity - Cryptocurrencies and blockchain technology offer a level of anonymity that also emboldens fraudsters. Currencies like Monero have better privacy features relative to their older cryptocurrency counterparts, which has in part made it increasingly popular on criminal markets and in money laundering operations.

■ Popularity and hype - Criminals will always follow the money, looking to take advantage of whatever is most popular and most lucrative.

■ Reputation - The popularity of cryptocurrencies among high-net-worth individuals, the roll-out of cryptocurrency-backed prepaid cards and plans for private banks to provide cryptocurrency services gives them greater legitimacy and makes them more attractive to investors. If their reputation increases, they will become more prevalent, increasing the number of targets for fraudsters.

■ Opportunity - The sheer number of new altcoins, exchanges and coin offerings means that fraudsters have a wealth of potential targets. The new gold rush has created many millionaires - these new, less-experienced, internet savvy entrepreneurs are a target themselves, with criminals looking to defraud, steal from or extort these individuals.

■ Regulation - In a regulated market such fraud would be illegal, and the threat of law enforcement action would probably deter many, although not all, criminals. Moreover, exchanges and ICO projects would be under more pressure to improve their security practices as they would face serious consequences for facilitating a breach. Nevertheless, criminals will continue to take risks regardless of the potential legal ramifications, regulatory implementation will likely be uneven, and it may also deter would-be investors and drive down the value of cryptocurrencies.

■ Security - Weak password practices enable account takeovers, misconfiguring cloud services facilitates cryptojacking, and failure to patch and update effectively means attackers can continue to exploit known vulnerabilities to deliver cryptomining malware.

What is clear is that one of the major contributing factors to cryptocurrency fraud is the opportunity provided through poor security practices. There are several measures that organisations can take, including:

■ Authenticating cloud services like AWS to prevent cryptojacking. Replacing factory-default credentials with unique and strong passwords to prevent Internet of Things devices from being incorporated into botnets.

■ Enforcing strong password security rules and multi-factor authentication across your organisations.

■ Patching known vulnerabilities being used to deliver crypto miners. Vulnerabilities in Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) servers have been used to download Monero miners. These miners have also been delivered by exploiting patched vulnerabilities in the popular Apache CouchDB open source database (CVE-2017-12635 and CVE-2017-12636).

■ Having a reputable adblocker in place.

■ Checking phishing databases and more specialist cryptocurrency fraud sites such as the Ethereum Scam Database before using any sites that you are unfamiliar with.

Despite their volatility, looming regulation measures and the projected adoption of cryptocurrency in both online and physical transactions, cryptocurrency fraud is here to stay.

However, with better security practices both on an individual and organisational level, you can mitigate the risk of cryptocurrency fraud while remaining an active user.

James Chappell is co-founder and chief innovation officer at Digital Shadows. He is a speaker at Dublin Information Sec 2018 - Ireland's cybersecurity conference - on October 15 at Dublin's RDS. For tickets and more information click here independent.ie/infosec18