Continuation from part 1: Cryptocurrencies are a Target for Cybercriminals – The New Risks of Innovation
Cyber criminals are always looking for victims and ways to exploit them. Stealing what is valuable is the goal. Cryptocurrencies hold tremendous wealth, but are largely anonymous. This limits the attack surface to mostly avenues requiring complex technical approaches. Always preferring the path of least resistance to their objective, many fraudsters and online thieves prefer to target the people. As the cryptocurrency world changes and grows into new incarnations, opportunities can open up for cyber criminals.
A New Cryptocurrency Opportunity for Cybercriminals
The chaotic world of cryptocurrencies is ripe with innovation. There are block chains and related currencies associated with all manner of business transactions, records keeping, legal contracts, charities, and even healthcare research. In many cases the application of blockchain technology solves a variety of problems and opens new value-added opportunities. An emerging sector is the convergence with social media platforms. One of the more popular examples is Steemit. It is a newcomer to the cryptocurrency world and may represent an evolutionary trend, differentiating itself from traditional digital currencies by bridging blockchain and social media. It began in early 2016 and skyrocked in value and prominence to break into the top 5 ranks of cryptocurrency with a market cap of about $160 million dollars. Like Ethereum, it too is more than just a monetary device. Steem, the cryptocurrency, is intertwined with the decentralized social media networking site www.Steemit.com. This social portal allows people to create posts, interact with others, and curate content by up-voting their favorites. This is very similar to most other social media sites. However, the difference is that the platforms cryptocurrency is granted as a reward to authors and curators. The process of up-voting popular content contributes to the value of the posts which is paid-out to participants. In short, a blogger can earn cryptocurrency by authoring content which is voted by other members of the community. This currency can then be sold on the digital markets and transferred into U.S. dollars or other forms of money. Users have a social profile which is tied to the open blockchain, as is all the content. So everything is public and transparent, embedded in the chain, including account balances and activities of the users.
Although an innovative platform, which pays users participate, the front-end social media web-portal opens up new avenues for cybercriminals that are not available as part of most other cryptocurrencies. Being able to conduct research on who has considerable wealth and what topics they are interested in, write about, upvote, or comment on, is a big advantage for social engineering criminals.
Steemit and others like it, use a public blockchain, digital wallets, and miners. So the normal technical-based crypto attacks will occur as we have seen with other cryptocurrencies. Mining attacks seek to gain more than one’s fair share. Attempts to counterfeit transactions or create fraudulent ones in the system will be attempted. Researchers will scour the open-source code for vulnerabilities they can exploit. Malware will be written in hopes of getting users systems infected so the software can steal Private Keys, logins, or conduct Man-In-The-Middle (MITM) attacks. These are all normal and expected technical attempts to circumvent security controls and victimize users. In fact, the site has already experienced a hack, but contained the impact to less than $85,000 affecting only 260 users, and losses were reimbursed.
The difference with these cryptocurrency based social platforms is they expose community interaction elements to social engineers who will take advantage of the abundance of Open Source Information (OSI) available to them, to leverage against users. Attackers are given the means to directly communicate and monitor their intended victims. Most other cryptocurrencies shield their users and owners with anonymity.
Anyone can join, so it is easy to stalk or befriend a target. Attackers can track what their prey like or dislike, as well as establish patterns when they are active, figure out who they know and trust, and watch transactions of their accounts. These are all very valuable tools supporting social engineering based attacks.
Behavioral attacks work against the single weakest element of a computer network, the users. Successful attacks can give complete control of systems, access to accounts, lock out legitimate users, destroy reputations, and steal intellectual property, and financial assets.
Fraud is a common practice in cyberspace as it provides a quick and direct financial benefit to the attackers. For Steemit, because it is a full-fledged social platform, I predict an abnormally high level of fraud, scams, phishing, and other manner of social engineering attempts, as compared to other cryptocurrency ventures without deep social interactions. Right now, attackers can communicate through posting and commenting. Secondary avenues like chat and a person-to-person messages, which are currently being satisfied with 3rd party tools, will likely be instituted before the official release. This will grant an aggressor many avenues to attack potential victims.
There will be scams. Posts which lure people to purchase, donate, or up-click so the attacker benefits. Ponzi swindles, lottery rip-offs, and get-rich-quick schemes will flourish if attackers aren’t proactively addressed. I have already seen a few attempts.
Phishing will occur and is likely to include bad links within posts, directing users to sites with malware or to legitimate sites where the ads have been compromised to push malware to visitors. Either way, if an attacker is able to successfully install their malicious software, it is game over for the victim.
Common techniques used in the world of phishing include soliciting passwords or Private keys from users. It could be an email, instant pop-up message, text, or redirection to an authentic looking webpage which is designed to obtain user’s credentials, keys, or passwords. There are already reports of users receiving emails which look like legitimate requests from administrators. Others report emails which direct the user to a webpage which is close to the name of the site but just one character off in the web address.
The platform is in beta open testing, with the official version 1.0 coming. Releasing software to the public before it is completed and tested is a common practice for new cryptocurrencies. There are many risks with this approach. This can expose users to new vulnerabilities and exploits are expected. The developer team must split its time between bug fixes and new functionality.
Until it is released with a complete set of integrated features, there exists an opportunity for crafty criminals to create helpful tools which require users to input their private keys. Unbeknownst to them, they may be voluntarily handing over their most precious authentication assets. A tool author in good standing can wait for many people to use the tool before turning on them and liquidating the assets of the overly trusting victims.
Are cryptocurrency based social media sites a bigger target? Yes.
As a cryptocurrency (STEEM) will be faced with all the typical problems that other digital currencies must deal with. In addition, it must also cope with the pressure of being a work-in-progress social media site and the likely behavioral attacks which will leverage communication aspects of this platform. Synereo is another platform which will emerge soon and also be subject to the same attention from fraudsters. The success of this model will fuel more to follow.
Positive Characteristics Might Make a Difference
Although I believe cybercriminals will target Steemit’s social platform with relentlessness and passion, there are several positive security aspects to the platform.
I have been a participant in for about a month and have been taking some notes with an eye for security. There are multiple aspects that set it apart from other cryptocurrency operations. The developers have an excellent depth of knowledge and experience in cryptocurrency. Some of what I have seen should be considered best practices which I recommend other platforms evaluate for adoption.
- Three passwords instead of one. Separation of controls exist with the passwords. Instead of just one password, the architecture has three: an Owner Key, Active Key, and Posting Key. Each can be used in different ways and potentially leveraged to limit exposure of one all-powerful Private Key.
- Dev’s are on the ball. The platform benefits from a very active developer community to identify issues, engineer fixes and resolve problems quickly. The recent account breach was contained in a day.
- The governance architecture. The code employs a Delegated Proof-of-Stake (DPOS) consensus algorithm. In a DPOS system, the community votes for individuals, called witnesses, to be responsible for verifying transactions. Unlike typical Decentralized Autonomous Organization’s (DAO), only a small number of representatives control the blockchain, which makes decisions much faster. Witnesses are voted into paying roles as custodians of the system. If necessary witnesses can control forks in the blockchain, which are changes to the core structure to correct serious issues. A small number of accountable people are the active caretakers of the platform and respond in a timely manner.
- The currency has 3 layers of abstraction. There is Steem, a classic cryptocurrency, Steem Dollars (SD), which is a long term investment option in the platform, and Steem Power (SP) which dictates the value of the user’s upvotes. This may seem confusing, but it creates some complexities for would be criminals. Each has its own properties, uses, and limitations. Steem is completely liquid and can be sold for Bitcoin then converted to dollars, while Steem Power takes 2 years to gradually power down into a liquid form that can be converted to dollars. The confusion aside, the separation creates compartmentalization which attackers must contend with and in some cases institutes’ time delays before money is completely transferred. Each barrier is another opportunity to detect an attack and intervene.
- 2FA for account recovery. The platform can use two-factor authentication to recover accounts. Using passwords and a verification via email address, the system can restore hijacked accounts quickly and with a good degree of confidence
- Escrow times for major account changes. The developers are working on a dispute system for Owner-key changes. They have proposed establishing a structure where users would identify trusted-individuals to take part in multi-signature oversight and recovery systems. Essentially, if your account is taken over, your trusted-individuals challenge the takeover to restore the rightful owner.
- Thought leadership. This team of developers takes a proactive approach to anticipate challenges. They have experience with other cyrptocurrencies and are very active in avoiding the pitfalls experienced by other system. I have been impressed with their willingness to openly discuss future challenges, propose a number of options, and listen to the feedback of the community.
- Self-Regulating users. They are diverse, vocal, opinionated, and do not put up with people abusing the system. Users readily call-out scams and do a fairly good job at self-regulating themselves. This frees up developers time and resources to focus on architectural challenges, feature enhancements, and bug fixes.
User Recommendations for Cryptocurrency Based Social Media Platform
Given all the information and concerns above, here are my recommendations to these communities to be safe and protect your assets
- Be aware you may be targeted via the social media platform. Social engineering can take many forms. Trust nobody with your passcodes or keys.
- Expect email, text, and perhaps even phone phishing, seeking you to install something, provide your passcodes or keys, or even to simply pay a ‘fine’. Believe nothing you receive in email or text. And do NOT EVER click on a link you receive in an email or text. If you are instructed to login to your account, open a browser and navigate manually. Don’t click that link!
- Ignore “transfer requests”, Ponzi scams (a sure bet - give me one hamburger today and I will surely give you two in return next week), lottery posts, “you won a prize” scams, and anyone who wants to give you a fortune, but first you must send them a processing fee. These are all just ways for an attacker to benefit. You know better!
- Ransomware is a big and growing problem. The social aspects of can be used to get people infected. Get acquainted with the risks of Ransomware and what to do before and after. 7 Methods to Fight Back Against Ransomware and Ransomware Help is Here
- Malicious links in posts. I don’t believe the site checks for malicious links embedded in posts created by other users. This may be a big problem. Malicious sites can push malware and legitimate sites can be hijacked so ads appearing on them do the same. Be wary. If you are unsure, use Google to see if the site is safe.
- Fake endorsements, friends, and trust scams. Professional social engineers will learn about you and find emotional attachments to gain your trust. They can be a long lost college friend, a young attractive girl, an abused little boy, a starving farmer in a far-away land, a stranded traveler in a hostile country, the coolest DJ you ever met, an almost famous movie star. How about your neighbor. A coworker. Social sites are not a place to assign trust. So don’t. They moment they have it, they will ask for something and relentlessly manipulate you until they get it.
- Be careful what software you install and use. There are great supplemental tools, created by innovative users, but be wary and never use one which requires your password, login, account keys or if it asks you to disable your anti-malware software. You are just begging to be a victim.
- Keep your Operating System and application patched and updated. This closes known vulnerabilities, which are what most attackers target. Zero-days are not as big of a problem for consumers as the media would have you think.
- Install client based anti-malware software from a reputable company that continually updates it. This is a basic protection.
- Watch your accounts and report suspicious activities immediately.
- Maintain a strong password. By default, cryptocurrency systems can create good ones. Don’t change it to something simple, they are easy to brute-force attack, always keep it strong. Change it immediately if you suspect a problem. Store it in a secure location, preferably encrypted, like in a password vault. Better safe than sorry.
- Don’t login via insecure networks (coffee shops, free-wifi hotspots, airports, hotels, etc.). Such networks are notoriously insecure and targets themselves for hackers. This enables them to conduct Man-in-the-Middle attacks to steal credentials or falsify transactions.
Cryptocurrencies with significant market value are a target for cybercriminals. As innovation and new uses are developed and include user interaction, platforms like Ethereum, Steemit, and Synereo will become attractive targets for fraudsters, phishing, and social engineering attacks. To remain safe and trustworthy, the platforms must be designed with great features to enhance security and the users themselves must be wary and vigil in following good protective practices.