Community Submission - Author: WhoTookMyCrypto.com
2017 was a great year for the cryptocurrency space as the rapid increase in valuations propelled it into the media and this garnered huge attention from both the general public as well as cyber criminals. As digital currencies have become a favorite among criminals, they often use them to bypass traditional banking systems and avoid financial oversight from regulators.
Given that people spend more time on their smartphones than on their desktop computers, it's no surprise that cybercriminals are turning their attention to them as well. The following discussion explains how scammers target cryptocurrency users through their mobile devices along with some steps users can take to protect themselves.
Fake digital currency applications
Fake digital currency trading platform applications
The most famous example of fake cryptocurrency trading apps is probably that of Poloniex. Before the launch of the official mobile trading app in July 2018, Google Play was already listing several apps for the fake Poloniex platform that were intentionally designed. Many users who downloaded these fraudulent apps had their Poloniex login credentials compromised and their cryptocurrencies stolen. Some apps have even gone a step further to request login credentials for users' Gmail accounts. It is important to highlight that only accounts without two-factor authentication (2FA) are hacked.
The following steps can help protect you from these scams.
Check the platform's official website to check whether they already provide a mobile app or not. If the platform offers this, use the link provided on their website.
Read reviews and ratings. Scam apps often have a lot of bad reviews with people complaining about being scammed, so make sure to check them before downloading. However, you should also be skeptical of apps that offer perfect ratings and reviews as any legitimate app has its fair share of negative reviews.
Check the app developer information. Find out if a legitimate company, email address, and website are provided. You should also do an online search on the information provided to see if it is actually linked to the official platform or not.
Check the number of downloads. You should also take into consideration the number of downloads the app has, as it is unlikely that a popular cryptocurrency trading platform app will have a small number of downloads.
Enable 2FA on your accounts. Although it is not 100% secure, 2FA is difficult to bypass and can make a big difference in protecting your funds. Even if your login data is stolen.
Fake cryptocurrency wallet applications
There are many different types of fake apps. One form seeks personal information from users such as wallet passwords and private keys.
In some cases, fake apps provide pre-generated public addresses for users. So they assume that money is deposited at these addresses. But they do not have access to the private keys and therefore cannot access any funds that are sent to them.
Such fake wallets have been created for popular cryptocurrencies like Ethereum and Neo and unfortunately a lot of users have lost their money this way. Here are some preventive steps that can be taken to avoid becoming a victim:
The precautions described in the platform application section above apply equally. However, an additional precaution you can take when dealing with wallet apps is to ensure that brand new addresses are created when you first open the app and that you are in possession of the private keys (mnemonic seeds). A legitimate wallet application allows you to export private keys but it is also important to ensure that the generation of new key pairs is not compromised. Therefore, you should use reputable software (preferably open source).
Even if the application provides you with a private key (or primary key) you should check whether public addresses can be obtained and accessed. For example, some Bitcoin wallets allow users to import their private keys or seeds to visualize addresses and access funds. To reduce the risk of keys and seeds being compromised. You can do this on a computer disconnected from the Internet).
Cryptojacking applications
Cryptojacking has been a favorite among cybercriminals due to its low barriers and ease. Moreover, these applications provide them with the possibility of obtaining long-term recurring income. Despite their lower processing power when compared to computers, mobile devices are increasingly becoming a target for Cryptojacking.
Regardless of Cryptojacking in the web browser. Cybercriminals also develop software that appears to be legitimate games, utilities, or educational applications. However, most of these applications are designed to run cryptojacking codes through the victim's browser. There are also Cryptojacking apps that are advertised as legitimate miners but the rewards are delivered to the app developer instead of the users. Things are getting worse as cybercriminals have become more sophisticated and deployed lightweight mining algorithms to avoid detection.
Cryptojacking is incredibly harmful to mobile devices because it reduces performance, slows down the device, and worse, it can act as a malicious Trojan Horse.
The following steps can be taken to protect against them.
Only download apps from official stores, such as Google Play. Pirated apps are not pre-screened and are likely to contain Cryptojacking software.
Monitor your phone for excessive battery drain or overheating. Once detected, terminate the applications causing it immediately.
Keep your device and apps updated until security vulnerabilities are patched and closed.
Use a browser that protects against Cryptojacking or install popular browser plugins, such as MinerBlock, NoCoin, and Adblock.
Install mobile antivirus software and keep it updated if possible.
Free Giveaways and Fake Cryptocurrency Mining Apps
These are apps that pretend to mine cryptocurrencies for their users but don't actually do anything except display ads. They incentivize users to keep apps open by increasing user rewards over time. Some applications encourage users to leave 5-star ratings to receive rewards. Of course, digital currencies are not mined through any of these applications and their users do not receive any rewards.
To protect against this fraud, I understand that for the majority of cryptocurrencies mining requires highly specialized hardware (ASICs) which means it is not possible to mine on a mobile device. Even the amounts you will be able to mine will be very trivial, so it is best to stay away from any of these apps.
Clipper apps
These applications change the addresses of the digital currencies they copy and replace them with the addresses of the attacker. So while the victim may copy the correct recipient address, the address that the attacker replaces is the one they paste to process the transaction and thus get the money.
To avoid falling victim to these apps, here are some precautions you can take when making transactions:
Always double and triple check the address you paste into the recipient field. Transactions on the blockchain are irreversible so you should always be careful.
It is better to check the entire address rather than parts of it. Some apps are smart enough to paste addresses that are similar to your intended address.
SIM swapping
In a SIM swap scam, cybercriminals gain access to and control a user's phone number. They do this by using social engineering techniques to trick mobile operators into issuing them a new SIM card. The most famous SIM swap scam involved entrepreneur and cryptocurrency pioneer Michael Terpin. He claimed that AT&T was negligent in its handling of his mobile phone credentials, resulting in him losing tokens worth more than $20 million.
Once cybercriminals have access to your phone number, they can use it to bypass any 2FA based on it. After that, they can access your digital currency trading wallets and accounts.
Another method that cybercriminals can use is to monitor your SMS communications. Flaws in communications networks can allow criminals to intercept your messages which can include two-factor (2FA) code sent to you.
What is particularly concerning about this attack is that users are not required to take any action such as downloading fake software or clicking on a malicious link.
To prevent falling victim to such scams, here are some steps to keep in mind:
Do not use your mobile number for 2FA SMS. Instead, use apps like Google Authenticator or Authy to secure your accounts. It becomes difficult for cybercriminals to access these applications even if they have your phone number. Alternatively, you can use 2FA hardware like YubiKey or Google Security Titan Key.
Do not disclose personally identifiable information on social media, such as your mobile phone number. Cybercriminals can capture this information and use it to impersonate you elsewhere.
You should never advertise on social media that you own cryptocurrencies as this will make you a target. If you are in a situation where everyone knows that you own it, you should avoid disclosing personal information, including the platforms or wallets you use.
Make arrangements with your mobile phone service providers to protect your account. This could mean attaching a PIN or password to your account and dictating that only users with knowledge of the PIN can make changes to the account. You can also request such changes in person and not allow them over the phone.
The WiFi
Cybercriminals are constantly looking for entry points in mobile devices, especially those of cryptocurrency users. This entry point is to access the WiFi network Public WiFi is not secure and users should take precautions before connecting to it. They risk cyber criminals to access the data on their mobile devices. These precautions are covered in an article about public WiFi.
Concluding thoughts
Mobile phones have become an essential part of our lives. In fact, it's so intertwined with your digital identity that it can become your greatest vulnerability. Cybercriminals are aware of this and will always continue to look for ways to exploit it. Mobile device security is optional. It has become a necessity. Be safe