paint-brush
10 smart tricks hackers use to steal your cryptos (and how to protect from them)by@ourielohayon
37,734 reads
37,734 reads

10 smart tricks hackers use to steal your cryptos (and how to protect from them)

by Ouriel OhayonNovember 6th, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

For consumers and crypto buyers, the crypto-jungle is a real mess as far as security is concerned.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - 10 smart tricks hackers use to steal your cryptos (and how to protect from them)
Ouriel Ohayon HackerNoon profile picture

For consumers and crypto buyers, the crypto-jungle is a real mess as far as security is concerned.

If you have ever threaded the waters of any crypto service you will have to go through a tedious security on-boarding which includes complex and long phrases and codes to remember or store securely somewhere (whatever this means). Yes, you are in control of your own assets but the price to pay is that you are in charge of your own security. And since most people are not security experts, they are very much often exposed — without knowing. I am always amazed to see around me how many people, even tech savvy ones, don’t take basic security measures.

You are at risk, even with a super secure Hardware Wallet, which is supposed to the the gold standard for security today. Indeed most issues happen in the “points of connection” with your wallet, not with the wallet itself. What is at risk is not necessarily your set up but your attention.

Here are a few tricks that hackers like to use to steal your private keys (the information required to steal your cryptos) or even trick you in wiring coins/tokens to the wrong destination.

it’s dangerous out there. Attacks from all over.

1.Copy Paste: you see an address you want to send some bitcoins to. You copy/paste this address into your wallet. Except there are things like CryptoShuffler, a small program, that will replace the address you just copied with another that has nothing to do with the original. It would work to with any type of passwords including copying you master pass for your password manager (eg last pass)

Tip: Painful but verify the address after you pasted it. Use the QR code if you know how to.

Tip #2: Don’t install funky soft, or apps you’re not sure of. Run regularly an anti Malware on your computer (Bitdefender, MalwareByte) to clean your computer

Pro-tip 2: use an official ENS (more on this below) instead of a prone-to-error impossible-to-verify address. Some are cheap to buy, Some are not. But this is peace of mind.

2. Hacked mobile Apps: Hackers can publish real fake trading apps to buy assets on a crypto-exchange (eg Poloniex) but you re trading nowhere…you just sending money to a dummy hacker account.

More generally Android is really prone to hack (more than iOS). you need to be careful on what you install and make sure to regularly clean your device of any junk.

Tips: Don’t get too fancy here. it’s obvious (but not for all), you need to protect your device with a PIN, Touch ID and/or FaceID, add add 2 factor authentication to any app you have that offer that, and avoid downloading junk.

3.Slack Hacking bots: Bots on slack are a plague. They will reach out warning about a security alert on your wallet (which of course does not exist) and they will link you to a URL where they will ask you your private key. Don’t touch

Tip: ignore bots on Slack. Report them when they contact you. Also use Metacert to protect your slack channels

4. Browser extensions Some extensions are claiming they will improve your user experience on trading sites. Except they may read at the same time all your typing there. Stick with the ugly user experience, you’ll be safer.

Tip: do NOT download any crypto extensions. Browser in “Private mode” where usually extensions are disabled. Or use a fresh browser only for this. You can take a look at Brave which is a Blockchain native browser with built-in wallet

5.Clone Websites: you start to type the URL of a website, then your URL bar has been hacked by another close URL pointing to a very similar website with the same exact look and feel and logo. Careful.

Cryptonite Chrome extension

Tip> look for the https certificate + use Cryptonite Chrome / Firefox extension that can highlight fake URLS

6.Fake Google Ads/SEO: It’s a known technic. You’re searching for your favorite (or not) crypto sites on Google but hackers will squat the top paid results (or organic) with similar URLs (including a small change) and will trick you in going to their site instead.

fake URL in Google ads

Tip> read carefully the URL after the click

7.Fake Social accounts: Careful there, only follow verified accounts or simply click on the social links from the official websites of the service you want to follow. Don’t trust any other source even Twitter/Facebook recommendation algorithms which could push new fake accounts.

8.Mobile SMS 2FA

This is a widely known issue. Services will ask your mobile phone number to register or activate 2FA (two factor security), but, especially in the USA, some hackers are very talented at fooling mobile operators support team and getting your credentials and from there getting access to any account linked to your mobile phone.

tip: ask your operator how your phone is protected

tip#2: never EVER use any service that requires your phone number and never set 2FA with SMS (use a software solution instead)

9.Email Phishing

You get an email from a service you know, except this is not from them. They will use the exact same format, template, design. Many times the service does not even have your email, but it does not matter, you will not remember. Remember, don’t click blindly

fake

tip: pay attention to the link you click on, watch them in the browser link section. If it looks weird, get out.

10.Wifi hacking

You may have seen the news but WPA, the security protocol for most wifi routers used has been compromised. With that “krack attack” anyone can see all the data that goes through your wifi network. Similar issues happen in public Wifi (eg airport wifi).

tip: fix your router, check for updates and never trade in public wifi areas (at least not without a secure VPN)

Bonus 1 : Fake ENS

ENS is the equivalent of emails/DNS for a wallet address (a long post on the topic will come soon). Many good ICOs have used it instead of a prone-to-error address. It is something like whatever.eth . But some hackers will post fake ENS on forums will make it look like they own the original ENS with a close name ( thisICO.eth instead of thatICO.eth).

Tip: make sure to reference only to the ENS provided by the company and double check it before

Pro tip: if you set an ICO, get your ENS for yourself (including typos), even if you don’t plan to use it

Bonus 2: Free Airdrops

Airdrops is the random distribution of free tokens to reward existing token holders or to engage more users in a bootstrapped crypto-service. this sounds great. You open your wallet. Surprise! Free tokens. Some will claim there is an airdrop when there is not. Some will provide actual tokens to get you to register to their scammy site and get your private information. Be very careful

Only one tip to summarize all this: BE extra careful

ps: did i miss anything? please comment/complete/correct if you know of any other trick?