Think like a scammer to protect your crypto assets

Blockchain technology is revolutionizing the way we transact with each other, assets can be transferred faster, the identities of the sender and the receiver are kept hidden, and it is impossible to counterfeit or hack the transactions. Really?

Scammers and hackers are not short of ideas, from fake blockchains, fake cryptocurrencies, exploiting smart contracts vulnerabilities, or even flooding the blockchain network with spam transactions and caring out 51% attacks, and more. All for the same reason retail and institutional investors are Jumping on the blockchain wagon, money.

In this blog, we’ll look at one of the many ways cyber-criminals seek to profit from the cryptocurrency space by caring out phishing attack.

Phishing is a form of fraud in which an attacker pose as trustworthy organization or person in email or other forms of communication. Attackers will commonly use phishing emails to distribute malicious links or attachments that can perform a variety of functions.

Think like a scammer!

Let’s put on the scammer hat for a few minutes without almost any technical jargon. Let’s say we want to pull off a phishing attack to steal ADA funds, how can we do it in simple form? Why not just make the victim send us the funds himself? Is that not easy? It turns out is relatively easy.

Steps :

1. Purchase domain similar to official website https://daedaluswallet.io/
2. Clone the Daedalus website using tools such as https://github.com/imthaghost/goclone
3. Download the official Daedalus wallet https://daedaluswallet.io/
4. Inject the official Daedalus wallet with malicious code, using tools such as Debinject in the case of debian files.
5. Put the copied website and the injected wallet on web server such as apache2 in the cloud.
6. Craft a genius email with your malicious link (Ex: Deadalus revolutionary new version!)
7. Send the email to your victims.
8. Once the victim downloads the wallet through your fake website and use it.
9. Eureka you got the victim funds.

Malicious code can be a keylogger for example or script that send funds to the scammer ADA address

Real world phishing attack

Crypto scams raised more than 80% last year, last December in real world phishing attacks, scammers use Google Ads to direct victims to fake https://phantom.app/ wallet and hundreds of thousands of dollars were stolen.

“Simplicity is the ultimate sophistication.” — Leonardo da Vinci.

Scammers purchased a domain https://phanton.app, almost the same as the official https://phantom.app/ one, and they used Google Ads to direct as many victims as possible to their fake website wallet. Compared to our example above, they changed step 7 Email with Google Ads.

The main principle of phishing attack and social engineering in general is to trick you to walk in a trap.

Psychological manipulation

Scammers are masters in psychology manipulation, they use every trick in the book to get their targets out of their logical thinking to an emotional state where logic suddenly goes out of window.

Psychological tricks

• Phantom riches: enticing investors with the prospect of future wealth and promises of guaranteed income
• Social consensus: leading investors to believe that other savvy investors have already bought into the opportunity
• Reciprocity: offering to cut the commission in half in exchange for investing
• Scarcity: creating a false sense of urgency by claiming there is a limited supply.

Last November 2021 a scammers they used the popularity of Netflix series Squid Game, and create digital token which they marketed as “play-to-earn cryptocurrency”.

“Play-to-earn” cryptocurrency is where people buy tokens to use in online games and can earn more tokens which can later be exchanged for other cryptocurrencies or national currencies.

This kind of scam is commonly called a “rug pull”, when the scammers draws in buyer and investors then run off with the money raised from sales.

DYO — Do Your own Research

One of the main skills a scammers has is research. The time spent to research and prepare determine the percentage and likelihood of pulling successful attack. Likewise for users doing DYO before investing decrease your chance to be scammed or simply investing in the wrong project.

I can not emphasize enough on this point it’s often overlooked or outsourced to third parties. Many they prefer just watching one or two videos about the project and scroll through the project promotional website and they have already an opinion.

From my side I prefer DYO, and how extensive I go it depends if the level of interest decrease or increase while researching the project.

Sometimes DYO is not enough, and this is why my golden rule is don’t invest what you can’t afford to lose.

Don’t trust — verify!

Security is all about knowing who and what to trust, and that is the essence of phishing attacks and social engineering attacks in general, which are usually done by faking something like a website, mobile application, phone number ..etc and tricking victims to fall into the trap.

Here are few rules I follow:

1. General principle, unless you 100% trust the site you are on, you should not willingly give out your card information, your crypto spending password or your crypto mnemonic or sensible data.
2. Double-check the URL or the application name: take a few minutes and check the web address you are navigating to or the application name you are about to download from the store.
3. Https not Http: Make sure that the url you navigating to starts with HTTPS.
4. Bookmark your favorite websites: This is a simple thing that I do always, which spares me time and reduces the risk of ending in fake websites.
5. Two-factor authentication: Improve your online account security such as exchanges or emails, by using two factor authentication (2FA). You know this annoying code that is sent to you by SMS or through Authenticator App such as Google Authenticator App, then you need to type the code as an extra security to login. This is 2FA.
   > Note: Using an authenticator app to generate your Two-Factor login codes is more secure than text message
6. File downloads: I recommend downloading files only from the source when you can authenticate the sender.

Tools that really help

Browser: For privacy I use brave.

Brave is a free and open-source web browser based on the Chromium web browser, which Chrome is based on as well. Brave is a privacy-focused browser, which automatically blocks online advertisements and website trackers in its default settings.

Ad-Blocker and anti-phishing add-ons: Install browser add-ons that alert you of phishing sites, block malicious website, and blocks online advertisements. I personally use two awesome open-source add-ons:

1. PhishFort: Anti-Phishing Solutions for High-Risk Industries, this is one of the best chrome addons which offers website and domain phishing protection
2. uBlock: An efficient blocker add-on for various browsers. Fast, potent, and lean.

I think the key takeaway from this article is to avoid doing this one mistake, the one that you will regret if you don’t take simple steps and precautions to protect your crypto funds and your privacy in general.

Profiler Swiss Knife Investigation tool On Cardano Blockchain
Cardano Pool: Profiler
Ticker: PRO
Original article: https://www.profiler.biz/blog/think-like-a-scammer-to-protect-your-crypto-assets

References:

What is social engineering?

Rug pull attack

Security tips

Scammers used google ads to steal 500k

Squid Game crypto token collapses in apparent scam

Disclaimer: This post is for educational purposes only, the authors do not endorse or promote any products discussed herein.