Six Tools Used by Hackers to Steal Cryptocurrency: How to Protect Wallets

In the early July, it was reported that Bleeping Computer detected suspicious activity targeted at defrauding 2.3 million Bitcoin wallets, which they found to be under threat of being hacked. The attackers used malware — known as “clipboard hijackers” — which operates in the clipboard and can potentially replace the copied wallet address with one of the attackers.

The threat of hacking attacks of this type has been predicted by Kaspersky Lab as early as November of last year, and they did not take long to become reality. For the time being, this is one of the most widespread types of attacks that is aimed at stealing users’ information or money, with the overall estimated share of attacks to individual accounts and wallets being about 20 percent of the total number of malware attacks. And there’s more. On July 12, Cointelegraph published Kaspersky Lab’s report, which stated that criminals were able to steal more than $9 million in Ethereum (ETH) through social engineering schemes over the past year.

 Carbon Black

Image source: Carbon Black

Briefly about the problem

The already mentioned Bleeping Computer portal, which works on improving computer literacy, writes about the importance of following at least some basic rules in order to ensure a sufficient level of protection:

“Most technical support problems lie not with the computer, but with the fact that the user does not know the ‘basic concepts’ that underlie all issues of computing. These concepts include hardware, files and folders, operating systems, internet and applications.”

The same point of view is shared by many cryptocurrency experts. One of them, Ouriel Ohayon — an investor and entrepreneur — places the emphasis on the personal responsibility of users in a dedicated Hackernoon blog:

"Yes, you are in control of your own assets, but the price to pay is that you are in charge of your own security. And since most people are not security experts, they are very much often exposed  —  without knowing. I am always amazed to see around me how many people, even tech savvy ones, don’t take basic security measures."

According to Lex Sokolin — the fintech strategy director at Autonomous Research — every year, thousands of people become victims of cloned sites and ordinary phishing, voluntarily sending fraudsters $200 million in cryptocurrency, which is never returned.

What could that tell us? Hackers that are attacking crypto wallets use the main vulnerability in the system — human inattention and arrogance. Let's see how they do it, and how one can protect their funds.

250 million potential victims

A study conducted by the American company Foley & Lardner showed that 71 percent of large cryptocurrency traders and investors attribute theft of cryptocurrency to the strongest risk that negatively affects the market. 31 percent of respondents rate the hackers’ activity threat to the global cryptocurrency industry as very high.

Foley & Lardner

Image source: Foley & Lardner

Experts from Hackernoon analyzed the data about hacking attacks for 2017, which can be conditionally divided into three large segments:

- Attacks on the blockchains, cryptocurrency exchanges and ICOs;

- Distribution of software for hidden mining;

- Attacks directed at users’ wallets.

Surprisingly, the article "Smart hacking tricks" that was published by Hackernoon didn’t appear to get wide popularity and warnings that seem to be obvious for an ordinary cryptocurrency user must be repeated again and again, as the number of cryptocurrency holders is expected to reach 200 million by 2024, according to RT.

According to research conducted by ING Bank NV and Ipsos — which did not consider East Asia in the study — about nine percent of Europeans and eight percent of U.S. residents own cryptocurrencies, with 25 percent of the population planning to buy digital assets in the near future. Thus, almost a quarter of a billion potential victims could soon fall into the field of hacking activity.

Apps on Google Play and the App Store

- Don’t get carried away with installing mobile applications without much need;
-Add Two Factor Authorization-identification to all applications on the smartphone;
-Be sure to check the links to applications on the official site of the project.

Victims of hacking are most often smartphone owners with Android operating system, which does not use Two Factor Authentication (2FA) — this requires not only a password and username, but also something that user has on them, i.e., a piece of information only they could know or have on hand immediately, such as a physical token. The thing is that Google Android’s open operating system makes it more open to viruses, and therefore less safe than the iPhone, according to Forbes. Hackers add applications on behalf of certain cryptocurrency resources to the Google Play Store. When the application is launched, the user enters sensitive data to access their accounts and thereby gives hackers access to it.

One of the most famous targets of a hacking attacks of this type were traders of the American cryptocurrency exchange Poloniex, which downloaded mobile applications posted by hackers on Google Play, pretending to be a mobile gateway for the popular crypto exchange. The Poloniex team didn't develop applications for Android, and its site doesn't have links to any mobile apps. According to Lukas Stefanko, a malware analyst at ESET, 5,500 traders had been affected by the malware before the software was removed from Google Play.

Users of iOS devices, in turn, more often download App Store applications with hidden miners. Apple was even forced to tighten the rules for admission of applications to its store in order to somehow suspend the distribution of such software. But this is a completely different story, the damage from which is incomparable with the hacking of wallets, since the miner only slows down the computer operation.

Bots in Slack

-Report Slack-bots to block them;
-Ignore bots’ activity;
-Protect the Slack-channel, for example, with Metacert or Webroot security bots, Avira antivirus software or even built-in Google Safe Browsing.

Since mid-2017, Slack bots aimed at stealing cryptocurrencies have become the scourge of the fastest-growing corporate messenger. More often, hackers create a bot that notifies users about problems with their cryptos. The goal is to force a person to click the link and enter a private key. With the same speed with which such bots appear, they are blocked by users. Even though the community usually reacts quickly and the hacker has to retire, the latter manages to make some money.

Steemit @sassal

Image source: Steemit @sassal

The largest successful attack by hackers through Slack is considered to be the Enigma group hack. The attackers used Enigma's name — which was hosting its presale round — to launch a Slack bot, and ended up defrauding a total of $500,000 in Ethereum from credulous users.

Add-ons for crypto trading

-Use a separate browser for operations with cryptocurrencies;
-Select an incognito mode;
-Do not download any crypto add-ons;
-Get a separate PC or smartphone just for crypto trading;
-Download an antivirus and install network protection.

Internet browsers offer extensions to customize the user interface for more comfortable work with exchanges and wallets. And the issue is not even that add-ons read everything that you are typing while using the internet, but that extensions are developed on JavaScript, which makes them extremely vulnerable to hacking attacks. The reason is that, in recent times — with the popularity of Web 2.0, Ajax and rich internet applications — JavaScript and its attendant vulnerabilities have become highly prevalent in organizations, especially Indian ones. In addition, many extensions could be used for hidden mining, due to the user's computing resources.

Authentication by SMS

-Turn off call forwarding to make an attacker’s access to your data impossible;
-Give up 2FA via SMS when the password is sent in the text, and use a two-factor identification software solution.

Many users choose to use mobile authentication because they are used to doing it, and the smartphone is always on hand. Positive Technologies, a company that specializes in cybersecurity, has demonstrated how easy it is to intercept an SMS with a password confirmation, transmitted practically worldwide by the Signaling System 7 (SS7) protocol. Specialists were able to hijack the text messages using their own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. A demonstration was carried out using the example of Coinbase accounts, which shocked the users of the exchange. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself, Positive Technologies stated. This proved that any system can be accessed directly via SMS, even if 2FA is used.

Public Wi-Fi

-Never perform crypto transactions through public Wi-Fi, even if you are using a VPN;
-Regularly update the firmware of your own router, as hardware manufacturers are constantly releasing updates aimed at protecting against key substitution.

Back in October last year, in the Wi-Fi Protected Access (WPA) protocol — which uses routers — an unrecoverable vulnerability was found. After carrying out an elementary KRACK attack (an attack with the reinstallation of the key) the user's device reconnects to the same Wi-Fi network of hackers. All the information downloaded or sent through the network by a user is available to attackers, including the private keys from crypto wallets. This problem is especially urgent for public Wi-Fi networks at railway stations, airports, hotels and places where large groups of people visit.

Sites-clones and phishing

-Never interact with cryptocurrency-related sites without HTPPS protocol;
-When using Chrome, customize the extension —  for example, Cryptonite — which shows the addresses of submenus;
-When receiving messages from any cryptocurrency-related resources, copy the link to the browser address field and compare it to the address of the original site;
-If something seems suspicious, close the window and delete the letter from your inbox.

These good old hacking methods have been known since the "dotcom revolution," but it seems that they are still working. In the first case, attackers create full copies of the original sites on domains that are off by just one letter. The goal of such a trick — including the substitution of the address in the browser address field — is to lure a user to the site-clone and force them to enter the account's password or a secret key. In the second case, they send an email that — by design — identically copies the letters of the official project, but — in fact — aims to force you to click the link and enter your personal data. According to Chainalysis, scammers using this method have already stolen $225 million in cryptocurrency.

Cryptojacking, hidden mining and common sense

The good news is that hackers are gradually losing interest in brutal attacks on wallets because of the growing opposition of cryptocurrency services and the increasing level of literacy of users themselves. The focus of hackers is now on hidden mining.

According to McAfee Labs, in the first quarter of 2018, 2.9 million samples of virus software for hidden mining were registered worldwide. This is up by 625 percent more than in the last quarter of 2017. The method is called "cryptojacking" and it has fascinated hackers with its simplicity in such away that they massively took up its implementation, abandoning the traditional extortion programs.

The bad news is that the activity of hacking has not decrease in the least bit. Experts of the company Carbon Black — which works with cybersecurity — revealed that, as of July 2018, there are approximately 12,000 trading platforms on the dark web selling about 34,000 offers for hackers. The average price for malicious attack software sold on such a platform is about $224.

Carbon Black

Picture source: Carbon Black

But how does it get on our computers? Let's return to the news with which we started. On June 27, users began leaving comments on Malwarebytes forum about a program called All-Radio 4.27 Portable that was being unknowingly installed on their devices. The situation was complicated by the impossibility of its removal. Though, in its original form, this software seems to be an innocuous and popular content viewer, its version was modified by hackers to be a whole "suitcase" of unpleasant surprises.

Of course, the package contains a hidden miner, but it only slows down the computer. As for the program for monitoring the clipboard, that replaces the addresses when the user copies and pastes the password, and it has been collecting 2,343,286 Bitcoin wallets of potential victims. This is the first time when hackers demonstrated such a huge database of cryptocurrency owners — so far, such programs have contained a very limited set of addresses for substitution.

After replacing the data, the user voluntarily transfers funds to the attacker's wallet address. The only way to protect the funds against this is by double-checking the entered address when visiting the website, which is not very pleasant, but reliable and could become a useful habit.

After questioning of victims of All-Radio 4.27 Portable, it was discovered that malicious software got on their computers as a result of unreasonable actions. As the experts from Malwarebytes and Bleeping Computer found out, people used cracks of licensed programs and games, as well as Windows activators like KMSpico, for example. Thus, hackers have chosen as victims those who consciously violated copyright and security rules.

Well-known expert on Mac malware Patrick Wardle often writes in his blog that many viruses addressed to ordinary users are infinitely stupid. It's equally silly to become a victim of such hacking attacks. Therefore, in conclusion, we'd like to remind you of the advice from Bryan Wallace, Google Small Business Advisor:

“Encryption, anti-virus software, and multi-factor identification will only keep your assets safe to a point; they key is preventive measures and simple common sense.”