What you Need to Know About Phishing Malware

Written by nikolaybocharov | Published 2021/12/17
Tech Story Tags: cryptocurrency | phishing-attacks | security | guide | phishing-and-malware | prevent-phishing | guide-on-phishing-attacks | cybersecurity

TLDRvia the TL;DR App
For phishing malware to work, it should be installed or just downloaded to a smartphone or computer. This software typically looks relatively harmless: it might come as a video or audio file or a meme received from a friend. Let's take a look at typical malware use cases and countermeasures. 

Using SMS as 2FA 

Most of us still use SMS for two-factor authentication, which is convenient as smartphones are always within reach. However, the latest cybersecurity research has shown how easy it is to intercept an SMS message containing the confirmation code worldwide since it is transmitted via the SS7 protocol. In fact, one can get access to any system via a confirmation code sent by SMS even when 2FA is enabled.
How to Protect Yourself
Avoid 2FA via SMS when the verification code comes in a text message; use a 2FA code generator app instead.

Fake Apps

Android users who do not use 2FA are usually the main target of such attacks. The good thing about two-factor authentication is that apart from the username and password, it also requires additional information familiar only to the users themselves.
How to Protect Yourself
  1. Do not install unfamiliar mobile applications.
  2. Enable 2-factor authentication for all financial applications on your smartphone.
  3. Make sure to get the download app link from the official website.
Public Wi-FI Networks
A very basic key reinstallation attack leads the router to connect to the hacker's network. All data uploaded or transferred when connected to the network, including private keys, goes straight to hackers. This attack is especially relevant for airports, hotels, and other crowded public places.
How to Protect Yourself
  1. Never initiate cryptocurrency transactions using public Wi-Fi networks even if you are using a VPN.
  2. Regularly update the firmware of your router as manufacturers are constantly releasing updates to enhance protection against key spoofing.
  3. Using messenger bots, including those that help buy and sell crypto
Usually, malicious bots notify users of a problem with their crypto assets, forcing them to follow a link and enter the private key. The attack results in a permanent loss of funds.
How to Protect Yourself
  1. Ignore bots' activities; think carefully of every response.
  2. Protect your messenger channels with antivirus software
  3. Report any suspicious activity to administrators

Various Browser Plugins and Extensions

Modern browsers offer all kinds of solutions to work with crypto exchanges and wallets more conveniently. One of the problems is that extensions can read everything you type while surfing the Internet. The second issue is that most of them are written in JavaScript, especially vulnerable to hacker attacks. 
How to Protect Yourself
  1. Do not download any third-party extensions for cryptocurrency
  2. Use a separate computer or smartphone for crypto trading if possible
  3. Use only licensed official browsers

Attacks Targeting Crypto Wallets

Crypto-wallet-related fraud deserves special mention. There are many ways of compromising private keys, and we will address them case by case.
Hackers seem to favor attacking a wallet and transferring coins to a different address due to several reasons mentioned above.
  • Not all types of wallets allow restoring private keys. If you lose the key, you can lose access to the funds in your wallet for good.
  • It is extremely difficult to prove the theft of funds from a crypto-wallet since most wallet users do not undergo any identification. 
  • All blockchain-powered payments are final and non-refundable. Payments made by mistake or unauthorized cannot be refunded. 
Filing a police report will not increase the chances of getting your funds back for the following reasons.
  • In many countries, the legal status of cryptocurrency has not yet been defined.
  • It can be challenging to prove that the hacked wallet belongs to you; in some cases, it is impossible.
  • In the case of fiat transfers, you can request a bank or other credit organization to provide information on the recipient since all transfers using electronic means of payment are regulated. Finding the recipient of a transferred cryptocurrency is complicated due to the lack of regulation.
  • It is almost impossible to prove the very fact of coercion or unauthorized transfer of your funds.

Bottom Line

Financial literacy is a collective responsibility. While payment providers and other platforms related to personal finance should provide their customers with updated information on safety measures, users should stay sensible and do their research. Recognition of fraudulent transactions helps to reduce the risk of phishing attacks significantly.
Written by nikolaybocharov | Head of Anti-Fraud Department at the global payment network Mercuryo
Published by HackerNoon on 2021/12/17
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy