Exchange
Blockchain and crypto asset exchange
Academy
Blockchain and crypto education
Broker
Trading terminal solutions
Charity
Charity
Cloud
Enterprise exchange solutions
DEX
Fast and secure decentralized digital asset exchange
Labs
Incubator for top blockchain projects
Launchpad
Token Launch Platform
Research
Institutional-grade analysis and reports
Trust Wallet
Binance's official crypto wallet
Buy Crypto
Markets
Scan to Download App IOS & Android
Download
English
USD
Binance Blog
News and updates from the world’s leading cryptocurrency exchange
5 Common Social Engineering and Cyber Attacks and How to Avoid Them
2020-6-12

In the previous #StaySAFU article, we looked at 5 common cryptocurrency scams and how to avoid them. But it's not just phishing that you should be on the lookout for.

Phishing is but one of the many methods that malicious parties employ to steal sensitive data or digital assets.

Difference between social engineering and hacking

Social engineering attacks are based on psychological manipulation of the target, aiming to lure unknowing victims into divulging confidential information or signing away digital assets.

Social engineering doesn't perform direct attacks on security systems, hardware, or the technological side of things. It targets the weakest link in the chain – us. Through deceit and manipulation, the victim is tricked into willingly handing over their sensitive data to the attacker. 

Hacks, on the other hand, target a completely different element of security. Hacking involves direct attacks on hardware, infrastructure, or security elements in order to find or create exploitable vulnerabilities. The goal of the perpetrators is different. The predominant techniques today attempt to gain control over your device or system, or to steal credentials for financial benefit. There are also occasions where the perpetrator performs an attack with the sole intent of hurting the victim. 

Now let's take a look at five of the most common social engineering and hacking attacks–  and, one mistake we’re all guilty of.

Ransomware

This malicious software infects your computer and usually threatens to delete your data, unless you pay a ransom. The circumstances change depending on the type of ransomware you're dealing with. 

Scareware is the most primitive type of attack. Your computer or browser interacts with malicious script or software and displays a warning message, trying to frighten you into downloading a file, paying for a product, or contacting a fake support team. You can easily remove scareware with high-quality and readily-accessible cybersecurity products, without leaving any damage to your data or device.

A screen locker is another type of ransomware attack, and also more dangerous than scareware. Screen lockers completely lock you out of your device and display a message impersonating a state organization or crime prevention group. Coincidentally, these groups are happy to unlock your device if you pay them with cryptocurrency. However, paying the ransom doesn’t automatically release your data, and the chances are that your data will be forever gone anyway.

The worst-case scenario is encryption ransomware. Here the attacker encrypts your data and threatens its deletion or publication if you don't pay the ransom. The hackers behind the famous WannaCry ransomware brought a lot of negative reputation to cryptocurrencies – particularly to Bitcoin – as the victims had to pay the ransom in Bitcoin. The WannaCry group received a total of 327 payments totaling 51.62 BTC. This is worth in excess of $500,000 USD at the time of the writing of this article. 

Both screen lockers and encryption ransomware attacks are, in many cases, impossible to remove once they take control over your device. The only solution is prevention. 

Baiting

As the name implies, baiting is an activity where the attacker attempts to lure or bait the potential victim with a promise of a reward. Baiting occurs both physically and online. In the physical realm, the bait can be a USB stick or hardware wallet left in a visible spot. Once you connect it to your device, malicious software will attack your computer. Online baiting is usually presented in the form of promising ads and competitions.

If you ever find a Trezor hardware wallet with a name tag "CZ’s BTC Life Savings" on it, it's most likely not real. Don't use devices that don't belong to you, and stay vigilant of ads and offers that promise great deals or profits. 

Vishing

A combination of the words voice and phishing, vishing is one of the attacks on the rise, with new variations appearing daily. This technique doesn't use mail, phone calls, or messages, but internet telephone services (VoIP). The attack is a call informing you that your bank account or card is locked, that your pre-approved mortgage is ready, or that a charity is seeking your contribution. The perpetrators often impersonate trusted individuals such as bank employees, debt collectors, customer support, or even tax-collecting bodies like the IRS. 

You can easily debunk vishing by calling the official number of the organization that the caller claims to represent and verifying the information. A good rule of thumb, if suspicious, is to hang up and to call the number listed on their website.

Binance Support will never contact you over the phone. Never share sensitive data over the phone because no matter who's your provider or phone manufacturer, no phone calls are completely private.

Pretexting

The attacker aims to obtain your private information through a series of lies. In pretexting, the perpetrator often impersonates someone we know or trusted authority, such as police or bank officials. The pretexter will use a sense of urgency to lure out your private information or request you to perform specific tasks. 

The most common targets of pretexting are social security numbers, card details, personal addresses, phone numbers, seed phrases, or even bitcoins. To steer away from becoming a victim, apply the same rules as you would with vishing: always verify that you're talking to a real person by starting a communication on a different channel than the one you're currently using. 

Bait and Switch

The hunting grounds of the bait and switch attacker are the trusted environments of websites and search engines. Malicious domains are displayed as regular – sometimes sponsored – result among many legitimate results for your search. With advanced SEO techniques and paid advertising, the bait impersonates an official website and climbs search engine ranks. Once you click on the result believing it to be legitimate, you’re taken to the attacker’s website.

To avoid this attack, you need to be proactive. Avoid visiting websites with unusual names or names that contain typos. Do not believe ads that promise unrealistic results. Use your common sense, and don't automatically click on something that catches your attention. 

BONUS: Credential Reuse

Although this isn't an attack as such, it's nonetheless a vulnerability worth mentioning as it’s regularly exploited by attackers. The reuse of login information is something we've all been guilty of in the past. All of us have reused the same username and password across multiple services. Once an attacker steals your data from one platform, all your other accounts are exposed and at risk, if you're not using unique credentials. 

Let's leave credential reuse behind. There's a tremendous selection of free and secure open-source password managers available to you today, which will generate secure and unique passwords for each site you use. 

Conclusion

It's important to note that not all hacking is malicious. Cypherpunks, penetration testers, white hat hackers, and many more are helping both individuals and businesses to stay safe in the digital era. The cryptocurrency scene is filled with thousands of crypto and Bitcoin businesses, individuals, and security professionals creating a more secure future for all of us. 

We believe that we can be only as strong as the weakest link. Every individual needs to learn how to take care of their security and stay in charge of their private data and wealth. As with all forms of attack, your best defense is common sense and awareness. 

Let's improve our digital security together. Share our #StaySAFU campaign with your friends! 

Don't miss out any of the upcoming #StaySAFU articles:

Available now - #StaySAFU with Binance's Security Campaign

Available now - 8 Surprising Statistics About Crypto Phishing

Available now - 5 Common Cryptocurrency Scams and How to Avoid Them

Available now - 5 Common Social Engineering and Cyber Attacks and How to Avoid Them

Available now - Secure Your Binance Account in 7 Simple Steps

Available now - #StaySAFU: 5 Security Tips From The Pros

Available now - How to Secure Your Cryptocurrency

Coming 18 June - Join the #StaySAFU Competition and Win a Share of $500 BNB


If you haven’t already, make sure to follow Binance and Binance Academy on Twitter to stay up to date with the campaign’s latest developments.



Binance Blog
News and updates from the world’s leading cryptocurrency exchange
Jun 12
2020
5 Common Social Engineering and Cyber Attacks and How to Avoid Them

In the previous #StaySAFU article, we looked at 5 common cryptocurrency scams and how to avoid them. But it's not just phishing that you should be on the lookout for.

Phishing is but one of the many methods that malicious parties employ to steal sensitive data or digital assets.

Difference between social engineering and hacking

Social engineering attacks are based on psychological manipulation of the target, aiming to lure unknowing victims into divulging confidential information or signing away digital assets.

Social engineering doesn't perform direct attacks on security systems, hardware, or the technological side of things. It targets the weakest link in the chain – us. Through deceit and manipulation, the victim is tricked into willingly handing over their sensitive data to the attacker. 

Hacks, on the other hand, target a completely different element of security. Hacking involves direct attacks on hardware, infrastructure, or security elements in order to find or create exploitable vulnerabilities. The goal of the perpetrators is different. The predominant techniques today attempt to gain control over your device or system, or to steal credentials for financial benefit. There are also occasions where the perpetrator performs an attack with the sole intent of hurting the victim. 

Now let's take a look at five of the most common social engineering and hacking attacks–  and, one mistake we’re all guilty of.

Ransomware

This malicious software infects your computer and usually threatens to delete your data, unless you pay a ransom. The circumstances change depending on the type of ransomware you're dealing with. 

Scareware is the most primitive type of attack. Your computer or browser interacts with malicious script or software and displays a warning message, trying to frighten you into downloading a file, paying for a product, or contacting a fake support team. You can easily remove scareware with high-quality and readily-accessible cybersecurity products, without leaving any damage to your data or device.

A screen locker is another type of ransomware attack, and also more dangerous than scareware. Screen lockers completely lock you out of your device and display a message impersonating a state organization or crime prevention group. Coincidentally, these groups are happy to unlock your device if you pay them with cryptocurrency. However, paying the ransom doesn’t automatically release your data, and the chances are that your data will be forever gone anyway.

The worst-case scenario is encryption ransomware. Here the attacker encrypts your data and threatens its deletion or publication if you don't pay the ransom. The hackers behind the famous WannaCry ransomware brought a lot of negative reputation to cryptocurrencies – particularly to Bitcoin – as the victims had to pay the ransom in Bitcoin. The WannaCry group received a total of 327 payments totaling 51.62 BTC. This is worth in excess of $500,000 USD at the time of the writing of this article. 

Both screen lockers and encryption ransomware attacks are, in many cases, impossible to remove once they take control over your device. The only solution is prevention. 

Baiting

As the name implies, baiting is an activity where the attacker attempts to lure or bait the potential victim with a promise of a reward. Baiting occurs both physically and online. In the physical realm, the bait can be a USB stick or hardware wallet left in a visible spot. Once you connect it to your device, malicious software will attack your computer. Online baiting is usually presented in the form of promising ads and competitions.

If you ever find a Trezor hardware wallet with a name tag "CZ’s BTC Life Savings" on it, it's most likely not real. Don't use devices that don't belong to you, and stay vigilant of ads and offers that promise great deals or profits. 

Vishing

A combination of the words voice and phishing, vishing is one of the attacks on the rise, with new variations appearing daily. This technique doesn't use mail, phone calls, or messages, but internet telephone services (VoIP). The attack is a call informing you that your bank account or card is locked, that your pre-approved mortgage is ready, or that a charity is seeking your contribution. The perpetrators often impersonate trusted individuals such as bank employees, debt collectors, customer support, or even tax-collecting bodies like the IRS. 

You can easily debunk vishing by calling the official number of the organization that the caller claims to represent and verifying the information. A good rule of thumb, if suspicious, is to hang up and to call the number listed on their website.

Binance Support will never contact you over the phone. Never share sensitive data over the phone because no matter who's your provider or phone manufacturer, no phone calls are completely private.

Pretexting

The attacker aims to obtain your private information through a series of lies. In pretexting, the perpetrator often impersonates someone we know or trusted authority, such as police or bank officials. The pretexter will use a sense of urgency to lure out your private information or request you to perform specific tasks. 

The most common targets of pretexting are social security numbers, card details, personal addresses, phone numbers, seed phrases, or even bitcoins. To steer away from becoming a victim, apply the same rules as you would with vishing: always verify that you're talking to a real person by starting a communication on a different channel than the one you're currently using. 

Bait and Switch

The hunting grounds of the bait and switch attacker are the trusted environments of websites and search engines. Malicious domains are displayed as regular – sometimes sponsored – result among many legitimate results for your search. With advanced SEO techniques and paid advertising, the bait impersonates an official website and climbs search engine ranks. Once you click on the result believing it to be legitimate, you’re taken to the attacker’s website.

To avoid this attack, you need to be proactive. Avoid visiting websites with unusual names or names that contain typos. Do not believe ads that promise unrealistic results. Use your common sense, and don't automatically click on something that catches your attention. 

BONUS: Credential Reuse

Although this isn't an attack as such, it's nonetheless a vulnerability worth mentioning as it’s regularly exploited by attackers. The reuse of login information is something we've all been guilty of in the past. All of us have reused the same username and password across multiple services. Once an attacker steals your data from one platform, all your other accounts are exposed and at risk, if you're not using unique credentials. 

Let's leave credential reuse behind. There's a tremendous selection of free and secure open-source password managers available to you today, which will generate secure and unique passwords for each site you use. 

Conclusion

It's important to note that not all hacking is malicious. Cypherpunks, penetration testers, white hat hackers, and many more are helping both individuals and businesses to stay safe in the digital era. The cryptocurrency scene is filled with thousands of crypto and Bitcoin businesses, individuals, and security professionals creating a more secure future for all of us. 

We believe that we can be only as strong as the weakest link. Every individual needs to learn how to take care of their security and stay in charge of their private data and wealth. As with all forms of attack, your best defense is common sense and awareness. 

Let's improve our digital security together. Share our #StaySAFU campaign with your friends! 

Don't miss out any of the upcoming #StaySAFU articles:

Available now - #StaySAFU with Binance's Security Campaign

Available now - 8 Surprising Statistics About Crypto Phishing

Available now - 5 Common Cryptocurrency Scams and How to Avoid Them

Available now - 5 Common Social Engineering and Cyber Attacks and How to Avoid Them

Available now - Secure Your Binance Account in 7 Simple Steps

Available now - #StaySAFU: 5 Security Tips From The Pros

Available now - How to Secure Your Cryptocurrency

Coming 18 June - Join the #StaySAFU Competition and Win a Share of $500 BNB


If you haven’t already, make sure to follow Binance and Binance Academy on Twitter to stay up to date with the campaign’s latest developments.