Community User Submission - Author: WhoTookMyCrypto.com
2017 was a memorable year for the cryptocurrency industry due to its rapid growth in industry value growth, driving mainstream media coverage of them. Unsurprisingly, this sparked a lot of interest from the public at large and cybercriminals. The relative anonymity offered by cryptocurrencies makes them a favorite tool for criminals, who use cryptocurrencies to circumvent the oversight of the traditional banking system and avoid financial oversight by regulators.
Users now spend more time on smartphones than on desktop computers, and cybercriminals are turning their attention to this. The following content will highlight and discuss how scammers are targeting cryptocurrency users via their mobile devices and what users should do to further protect themselves.
Perhaps the most well-known example of a fake cryptocurrency exchange app is Poloniex. Prior to the launch of Poloniex’s official mobile trading app in July 2018, several fake Poloniex exchange apps had appeared on Google Play that were specifically designed to carry out scams. Many users who downloaded these fake apps had their Poloniex login credentials compromised and their cryptocurrency stolen. And these apps will even ask users to provide their Gmail account as login credentials. It’s important to stress that only accounts that don’t have two-factor authentication (2FA) set up will be affected.
Here are some steps you can take to help prevent this type of scam.
Check the official website of the exchange to confirm if they indeed offer a mobile trading app. If true, please use the secure link provided on their website.
Read reviews and ratings for software. Fake apps often have a lot of bad reviews and people report scams, so be sure to check before downloading. However, you should also be skeptical of apps that have all-passing user ratings and reviews. Because any normal app will have some unsatisfactory negative reviews.
Check application developer information. Check to see if it provides a legitimate company, email address, and website. You should also conduct an online search on the information provided to see if they relate to official exchanges.
Check the number of downloads. The number of downloads also needs to be considered here. Because it is impossible for a mainstream cryptocurrency exchange to have only a small number of downloads.
Activate 2FA settings on your account. While it's not 100% secure, setting up 2FA provides more protection if your login credentials are stolen, making a huge difference compared to accounts without 2FA.
There are many Different types of fake wallet apps. One form aims to obtain users’ personal information, such as their wallet passwords and private keys.
In some cases, the fake application will provide the user with a previously generated public key address. So users deposit funds to these addresses. However, users do not have access to the private key and therefore cannot access the funds they deposited to the public address.
Such fake wallets are usually created for mainstream cryptocurrencies such as Ethereum and Neo, and unfortunately, many users have lost their assets due to this. The following measures can help you avoid becoming a victim:
The same considerations mentioned above for exchange applications also apply. However, there are some additional precautions you can take when dealing with wallet applications, making sure that a brand new address is generated when you first open the application and that you have access to the private key (or mnemonic seed). Legitimate wallet applications will allow you to export your private keys, and it is important to ensure that the newly generated key pair is not compromised. Therefore, you should use reputable software (preferably open source).
Even if an application is able to provide you with private keys (or seeds), you should verify that they can be derived from and accessed Public key address. For example, some Bitcoin wallets allow users to import their private key or seed and view that address and corresponding assets. To minimize the risk of key and seed leaks occurring, you can do this on a computer that is not connected to the Internet (disconnected from the Internet).
Due to its entry The threshold is low and the administrative fees required are low, so crypto-heist attacks have always been a favorite among cybercriminals. In addition, cryptojacking also provides them with potential cyclical income. Despite having lower processing power compared to PCs, mobile devices remain a prime target for cryptojacking attacks.
In addition to cryptojacking attacks on browsers, cybercriminals have also developed approaches that resemble legitimate games, utilities or educational applications. However, the purpose of many of these apps is to illegally run crypto mining scripts in the background of users’ devices.
There are also cryptojacking apps that claim to be legitimate third-party miners, but the mining rewards are delivered to the app developers instead of the users.
To make matters worse, cybercriminals’ techniques are becoming increasingly sophisticated and they continue to deploy ever more lightweight mining algorithms to avoid detection.
Cryptojacking is very harmful to your mobile device because they reduce performance and accelerate device wear. What's more, they can become Trojan horses for malware.
You can take precautions in the following ways.
Only download apps from official stores, such as Google Play. Pirated apps have not been manually screened and are more likely to contain cryptojacking scripts.
Monitor whether the phone has excessive battery drain or overheating. If detected, it is recommended to terminate the application causing the problem.
Update your devices and apps to fix security vulnerabilities.
Use a web browser that is resistant to cryptographic attacks or install reputable browser plug-ins such as MinerBlock, NoCoin and Adblock).
If possible, install mobile antivirus software and keep it updated.
Such apps pretend to be cryptocurrency mining software but are actually just there to display ads. They trick users and the mining rewards increase with the duration. This incentivizes users to keep the application open. Some apps even encourage users to leave a 5-star rating to earn rewards. Of course, none of these applications perform actual mining, nor do users of such software receive any rewards.
To protect against this type of software, it is important to understand that for most cryptocurrencies, highly specialized hardware (ASICs) are required for mining, which means mining on a mobile device Mine is not feasible. So even if you can get funds through mining, it is insignificant. So, please stay away from such apps.
These apps change the cryptocurrency address you copied and replace it is the attacker’s forged address. Although the victim can copy the correct payment address, when they paste it, the correct transaction address will be tampered with by the attacker.
To avoid falling victim to such applications, here are some precautions you can take when processing related transactions.
Double and triple check the address you want to paste into the To field. Blockchain transactions are irreversible, so you should be careful.
It's best to verify the accuracy of the entire address, not just a portion of it. Some apps are smart enough to paste an address similar to your intended one.
Cybercriminals pass Access the user's phone number to commit SIM card swap fraud. They do this through social engineering by defrauding mobile phone operators into issuing new SIM cards. The most famous SIM swap scam involves cryptocurrency entrepreneur Michael Terpin. He claims he lost more than $20 million worth of cryptocurrency due to AT&T's negligence in handling his phone credentials.
If cybercriminals gain access to your phone number, they can bypass all 2FA authentication this way and gain access to your cryptocurrency wallets and exchanges.
Another method cybercriminals will use is to monitor your text message communications. Flaws in communications networks can be exploited by criminals to intercept your text messages, which may include second-factor authentication messages sent to you.
This type of attack is particularly concerning because the user is unable to take any action, such as downloading fake software or clicking on a malicious link.
To prevent falling victim to this type of scam, here are some defenses to consider.
Do not use your mobile phone number for SMS 2FA authentication. Instead, use Google Authenticator or an app like Authy to keep your account secure. Even if your phone number is stolen, cybercriminals cannot access these apps. Alternatively, you can use hardware 2FA for protection, such as YubiKey or Google's Titan Security Key.
Don’t give out personally identifiable information, such as your mobile phone number, on social media. Cybercriminals can obtain this information and use it elsewhere to impersonate you.
Please do not announce on social media that you own cryptocurrency as this can make you a target. Alternatively, if your location has been exposed to others, avoid disclosing personal information such as the exchange or wallet you use.
Work with your mobile phone carrier to protect your account. This may mean that you need to set a password on the account or associate the account with the password and make it clear that only users with knowledge of the account can make changes to the account. Or, only you can control such changes and disable them from your phone.
Cybercriminals also continue to seek mobile An entry point into the device, especially for cryptocurrency users. One entry point is WiFi access. Public WiFi is not secure and users should take precautions before connecting. Without precautions, cybercriminals gain access to data on a user’s mobile device. These precautions have been covered in the article about public WiFi.
Mobile phones have become an indispensable part of our lives. In fact, they are so tied to your digital identity that they can be your biggest vulnerability. Cybercriminals are aware of this and will continue to look for ways to exploit this vulnerability. Securing mobile devices is no longer optional. It has become a must-see. Therefore, please take precautions.