Once upon a time, a phishing email would nearly always impersonate a financial organization, would be poorly written and easily recognizable.
Today, there are many ways that phishers can target organizations, employees and consumers – and multiple avenues that they take to do so. As society becomes increasingly dependent on online processes, phishers become more innovative in capitalizing on those practices.
Case in point? Cryptophishing, a new form of online phishing that has surfaced with the advent of cryptocurrency in online financial practices. We’ll delve into this, but first, let’s review some background on cryptocurrency.
What Is cryptocurrency?
- Cryptocurrency/Coin/Token: In simple terms, cryptocurrencies can be called a tokens, where each token is simply 1 unit of value of that cryptocurrency. The ownership of cryptocurrency tokens is recorded on a digital ledger (generally a blockchain).
- Blockchain: A database protocol. In cryptocurrency, a blockchain is a distributed digital public ledger where transactions and balances of a given cryptocurrency are recorded. It is secured using cryptographic hashes. Not every cryptocurrency is blockchain-based. One should note that blockchains can do more than act as ledgers of transactions, they can store any sort of data in sequential blocks (their potential and the potential of other hash-based systems is endless as far as the potential of databases goes).
- Cryptocurrency Wallet: Software that allows you to create cryptocurrency transactions and see balances associated with cryptocurrency addresses. Or more specifically, in wallets where you control your private keys, software that lets you access balances associated with your private and public keys and create a transaction using your private keys (see “keys” below for an explanation). NOTE: With some wallet types, like custodial wallets on exchanges, you don’t manage your private keys direction but show an address where a balance is stored. These too can be described as a wallet.
- Keys (Cryptographic Keys): Cryptocurrency is largely based on public-key cryptography. The concept is that one key can be known publicly (the public key) and the other can’t (the private key). A public address is the public account number people can send coins to; it a has a public key, which is a hash of a private key. The private key is a unique personal password from which coins can be sent by creating a signature (i.e. an encrypted version of the private key). Users should never share the private key as it is the root of all information needed to access a cryptocurrency wallet.
How cryptophishing works
Cryptographic keys are the primary reason that cryptophishing is becoming more prevalent. The anonymity of cryptocurrency wallets makes stealing them easier than traditional phishing, which targets bank accounts and must elude security measures to transfer money and then launder it.
Cryptophishing attacks are highly targeted, and costlier for offenders to organize, because of their higher return on investment. Emails are often customized to the recipient and look legitimate. Because these emails are so highly targeted, they can be harder to detect and may not be flagged as suspicious.
Further complicating matters, cryptophishing tends to leverage various forms of distribution other than email. Cryptophishers have been known to use social media to distribute phish. Fake social media profiles, for example, might look like a well-known and legitimate cryptocurrency social group and target members of that group. Cryptophishers have also been known to purchase ad words and put links to phishing sites in paid search engine listings.
Cryptophishing emails can impersonate any entity of a cryptocurrency process including web wallets, cryptocurrency exchanges, blockchain, etc. The vulnerability comes primarily from when a user accesses their crypto wallet online or through mobile devices (rather than on a computer or external device with a hardcoded and protected private key).
In the phishing example above, a phishing site attempts to access a user’s cryptocurrency wallet by requesting private keys, mnemonic phrases or specific file information.
As cryptocurrencies become more prevalent there will be an increase in phishing attacks targeting all parts of the cryptocurrency process. As with any new financial endeavor, vulnerabilities will stem from the human element falling prey to social engineering.
Securing logins and private keys for cryptocurrency wallets is paramount. The anonymity of the process prevents exchanges, currencies, or wallet software from taking on responsibility for any losses due to phishing. Unlike traditional banks, there isn’t insurance to cover losses due to fraud.
Further reading on cryptocurrency basics: