One target of cybercriminals is cryptocurrencies, which hold tremendous wealth but are largely anonymous. This limits the attack surface mostly to avenues requiring complex technical approaches. Always preferring the path of least resistance, many fraudsters and online thieves prefer to target people rather than systems. This is the second of two posts on threats to cryptocurrencies. In the first, we looked at some risks of innovation. In this post, we examine threats via social platforms.
Cryptocurrency opportunity for cybercriminals
The chaotic world of cryptocurrencies is ripe with innovation. There are blockchains and related currencies associated with all manner of business transactions, recordkeeping, legal contracts, charities, and even healthcare research. In many cases the application of blockchain technology solves a variety of problems and opens new value-added opportunities. An emerging sector is the convergence with social media platforms. One popular example is Steemit, a newcomer to the cryptocurrency world that may represent an evolutionary trend, differentiating itself from traditional digital currencies by bridging blockchain and social media. Steemit appeared early this year and skyrocketed in value and prominence to break into the top five cryptocurrencies with a market cap of about $160 million.
Like Ethereum, a blockchain app platform, Steemit is more than just a monetary device. Steem, the cryptocurrency, is intertwined with the decentralized social media networking site Steemit.com. This social portal allows people to create posts, interact with others, and curate content by voting for their favorites. These elements are very similar to other social media sites. The difference, however, is that the platform grants cryptocurrency as a reward to authors and curators. The process of voting for popular content contributes to the value of the posts, which is paid to participants. In short, a blogger can earn cryptocurrency by authoring content that is voted up by other members of the community. This currency can then be sold on digital markets and transferred into US dollars or other forms of money. Users have a social profile that is tied to the open blockchain, as is all the content. So everything is public and transparent, embedded in the chain, including account balances and activities of the users.
Although this innovative platform pays users to participate, the front-end social media web portal opens new avenues for cybercriminals that are not present in most other cryptocurrencies. Being able to conduct research on who has considerable wealth and what topics they are interested in, write about, vote for, or comment on is a big advantage for social engineering criminals.
Steemit and others like it use a public blockchain, digital wallets, and miners. So the normal technical-based cryptoattacks will occur as we have seen with other cryptocurrencies. Mining attacks seek more than one’s fair share. Attempts to counterfeit transactions or create fraudulent ones in the system are popular. Researchers will scour the open-source code for vulnerabilities they can exploit. Malware will attempt to infect systems so the software can steal private keys and logins, or conduct man-in-the-middle attacks. These are typical attempts to circumvent security controls and victimize users. In fact, the site has already experienced a hack, but contained the impact to less than $85,000, affecting only 260 users. The losses were reimbursed.
The difference with these cryptocurrency-based social platforms is they expose community interaction elements to social engineers, who can take advantage of the abundance of open-source information to attack users. Most other cryptocurrencies shield their users and owners with anonymity.
Anyone can join, so it is easy to stalk or befriend a target. Attackers can track what their prey like or dislike, as well as establish patterns when they are active, figure out whom they know and trust, and watch transactions on their accounts. These are all very valuable tools supporting social engineering attacks.
Behavioral attacks work against the weakest element of a computer network, the users. Successful attacks can give complete control of systems, access to accounts, lock out legitimate users, destroy reputations, and steal intellectual property and financial assets.
Fraud is a common practice in cyberspace; it provides a quick financial benefit to attackers. For Steemit, because it is a full-fledged social platform, I predict an abnormally high level of fraud, scams, phishing, and other manner of social engineering attempts, compared with other cryptocurrencies without deep social interactions. Now attackers can communicate through posting and commenting. Secondary avenues such as chat and person-to-person messages, which are currently delivered with third-party tools, will likely be instituted before the official release. This step will grant an aggressor many avenues to attack potential victims.
There will be scams, posts that lure people to purchase, donate, or click so an attacker benefits. Ponzi swindles, lottery rip-offs, and get-rich-quick schemes will flourish if these threats are not proactively addressed. I have already seen a few attempts.
Phishing is likely to include bad links within posts, directing users to sites with malware or to legitimate sites on which ads have been compromised to push malware to visitors. Either way, if attackers can successfully install their malicious software, the victims lose.
Common phishing techniques include soliciting passwords or private keys from users. An email, instant pop-up message, text, or redirection to an authentic looking webpage could be designed to obtain a user’s credentials, keys, or passwords. There are already reports of users receiving emails that look like legitimate requests from administrators. Others report emails that direct the user to a webpage with a name similar to the site’s but just one character off in the address.
The platform is in open beta testing, with the Version 1.0 coming. Releasing software to the public before it is completed and tested is a common practice for new cryptocurrencies, but there are many risks with this approach. This move can expose users to new vulnerabilities; exploits are expected. The development team must split its time between bug fixes and new functions.
Until Steemit is released with a complete set of integrated features, there exists an opportunity for crafty criminals to create tools that require users to input their private keys. A tool author in good standing could wait for many people to use a tool before turning on them and liquidating the assets of overly trusting victims.
Cryptocurrency-based social media sites a big target
Steem will face all the typical problems that other digital currencies must deal with. It must also cope with the pressure of being a work-in-progress social media site and the likely behavioral attacks that will leverage the communication aspects of this platform. Synereo is another platform that will soon emerge and will receive the same attention from fraudsters. The success of this model will fuel more to follow.
Positive characteristics might make a difference
Although I believe cybercriminals will relentlessly target Steemit’s social platform, the platform has several positive security aspects.
I have been a beta participant for about a month. Multiple aspects set Steemit apart from other cryptocurrency operations. The developers have an excellent depth of knowledge in cryptocurrency. Some of what I have seen should be considered best practices for other platforms to adopt.
- Three passwords instead of one. Passwords offer separation of controls. Instead of just one password, the architecture has three: an owner key, active key, and posting key. Each can be used in different ways and potentially be leveraged to limit exposure of one all-powerful private key.
- Developers are on the ball. The platform benefits from a very active developer community to identify issues, engineer fixes, and quickly resolve problems. The recent account breach was contained in a day.
- The governance architecture. The code employs a delegated proof-of-stake (DPOS) consensus algorithm. In a DPOS system, the community votes for individuals, called witnesses, to be responsible for verifying transactions. Unlike with typical decentralized autonomous organizations, with DPOS only a small number of representatives control the blockchain, which makes decisions much faster. Witnesses are voted into paying roles as custodians of the system. If necessary, witnesses can control blockchain forks, changes to the core structure to correct serious issues. A small number of accountable people are the active caretakers of the platform and respond in a timely manner.
- The currency has three layers of abstraction. Steem is a classic cryptocurrency; Steem Dollars is a long-term investment option; and Steem Power dictates the value of the user’s votes. This may seem confusing, but it creates some complexities for criminals. Each layer has its own properties, uses, and limitations. Steem is completely liquid and can be sold for Bitcoin and then converted to dollars, while Steem Power takes two years to reach a liquid form that can be converted to dollars. The confusion aside, the separation creates compartmentalization that attackers must contend with and in some cases institutes time delays before money is completely transferred. Each barrier is another opportunity to detect an attack and intervene.
- Two factors for account recovery. The platform can use two-factor authentication to recover accounts. Using passwords and a verification via email address, the system can restore hijacked accounts quickly and with a good degree of confidence.
- Escrow times for major account changes. The developers are working on a dispute system for owner-key changes. They have proposed a structure in which users would identify trusted individuals to take part in multisignature oversight and recovery systems. Essentially, if your account is taken over, your trusted individuals challenge the takeover to restore the rightful owner.
- Thought leadership. This team of developers takes a proactive approach to anticipate challenges. They have experience with other cryptocurrencies and are very active in avoiding the pitfalls experienced by other systems. I have been impressed with their willingness to openly discuss future challenges, propose a number of options, and listen to the feedback of the community.
- Self-regulating users. They are diverse, opinionated, and do not put up with people abusing the system. Users readily call out scams and do a fairly good job at self-regulating. This frees developers to focus on architectural challenges, feature enhancements, and bug fixes.
Here are my recommendations to be safe and protect your assets.
- Be aware you may be targeted via the social media platform. Social engineering can take many forms. Trust no one with your passcodes or keys.
- Expect email, text, and even phone phishing asking you to install something, provide your passcodes or keys, or even to simply pay a “fine.” Believe nothing you receive in email or text. And never click on a link you receive in an email or text. If you are instructed to log in to your account, open a browser and navigate manually. Don’t click that link!
- Ignore “transfer requests,” Ponzi scams, lottery posts, “you’ve won a prize” scams, and anyone who wants to give you a fortune but first you must send them a processing fee. These are all ways for an attacker to benefit.
- Ransomware is a big and growing problem that can use social aspects to infect. Get acquainted with the risks of ransomware and what to do before and after an infection. Read “7 Methods to Fight Back Against Ransomware” and “Ransomware Help is Here.”
- Watch for malicious links in posts. I don’t believe the site checks for malicious links embedded in posts created by other users. This could be a big problem. Malicious sites can push malware and legitimate sites can be hijacked as can ads appearing on them. If you are unsure, use Google to see if the site is safe.
- Beware of fake endorsements, friends, and trust scams. Professional social engineers will learn about you and find emotional attachments to gain your trust. They can be a long-lost college friend, an attractive young girl, an abused little boy, a starving farmer in a far away land, a stranded traveler in a hostile country, the coolest DJ you ever met, an almost famous movie star. Social sites are not a place to assign trust. So don’t. The moment attackers gain your trust, they will ask for something and relentlessly manipulate you until they get it.
- Be careful which software you install and use. There are great supplemental tools, created by innovative users, but be wary and never use one that requires your password, login, or account keys or that asks you to disable your antimalware software.
- Keep your operating system and applications patched and updated. This closes known vulnerabilities, which are what most attackers target. Zero days are not as big of a problem for consumers as the media would have you think.
- Install client based antimalware software from a reputable company that continually updates it. This is a basic protection.
- Watch your accounts and immediately report suspicious activities.
- Maintain a strong password. By default, cryptocurrency systems can create good ones. Don’t change it to something simple. They are easy to attack via brute force. Always keep it strong. Change it immediately if you suspect a problem. Store it in a secure location, preferably encrypted, such as in a password vault.
- Don’t log in via insecure networks (coffee shops, free Wi-Fi hotspots, airports, hotels, etc.). Such networks are targets themselves for hackers. This enables them to conduct man-in-the-middle attacks to steal credentials or falsify transactions.
Cryptocurrencies with significant market value are a target for cybercriminals. As new uses are developed that include user interaction, platforms such as Ethereum, Steemit, and Synereo will become attractive targets for fraudsters, phishing, and social engineering attacks. To remain safe and trustworthy, the platforms must be designed with great features to enhance security. Users must be wary and follow good protective practices.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.