How to Avoid Getting Caught in a Phish-net of Scams
Over the past few years, the cryptocurrency market has been flooded with investment and plenty of ‘phishers’ in the sea.
Over the past few years, the cryptocurrency market has been flooded with investment and plenty of ‘phishers’ in the sea. Phishing is the most popular form of cybercrime on the Ethereum network, accounting for 50% of all stolen revenue. There is a growing threat of these attacks, led by criminals attempting to get their hands on the funds of innocent investors.
Phishing is a type of fraud in which an attacker masquerades as a reputable entity or person via email or other communication channels. Phishers will typically advertise or send you a message with a link to a website that looks completely legitimate but is actually a fake or ‘mirrored’ version of the real site. Then your information is stolen and from there they can access and steal your money.
Just a couple of months ago, our own MEW platform was targeted in what has been described as a sophisticated attack known as a phishing automated transfer system (ATS). Cyber threat intelligence firm RiskIQ investigated the hack, dubbed ‘MEWKit’, and commented that this attack “shows a new dedicated effort from threat actors to pursue cryptocurrency.”
Unidentified criminals carried out the hack by infiltrating the very structure of the internet itself to steal tokens from users. They hijacked Amazon DNS servers to reroute people from the official MEW website to a host running a MEW phishing page. The attacker was able to phish $150,000 worth of Ether from MEW users.
It is truly unfortunate that this amazing blockchain space is contaminated with greed, but the reality is that whenever there is an opportunity to exploit people, criminals will seize it.
Despite this recent attack, we will remain one of the countless custodians of open source platforms. Being open source means our code is 100% transparent. It allows our community to make suggestions, add new features, and audit our code to make sure that what we claim to do is true. The quality of our code is continuously enhanced as other developers can improve our platform.
We believe being open-sourced fosters innovation; developers can learn from our code and see how we did things so they can also build valuable projects from the insights they have gained. We want the blockchain and cryptocurrency ecosystem to be as supportive and collaborative as possible.
But being open sourced also comes at a cost. It means that phishers can copy our code and replicate our site so well that it looks identical, and even the most experienced users can fall victim to their deceit – as was the case with MEWKit.
From experience of managing a cryptocurrency wallet that is widely used by the crypto community, we take phishing attacks very seriously, and very personally. Following the MEWKit attack, we decided to migrate to Cloudflare’s DNS servers. However, the three ongoing and key measures we use to fight phishing include actively seeking out attackers, taking down the ‘copycats’ and working together with a dedicated anti-phishing community.
We constantly monitor multiple social networks and Slack channels for potential phishing links. Our customer support team will sift through our users’ questions to see whether their concerns or inquiries are somehow related to a scamming or phishing attempt.
There have been over 6,000 attempts to imitate our site alone. We use monitoring tools to try and detect every new website registration similar to our own domain (myetherwallet.com). If they are clear imitations we add them to the EtherAddressLookup extension and file violation reports. We also report them to Google to stop them from getting indexed.
We’re also part of an anti-phishing group on Skype that consists of amazing, community-orientated people. They constantly keep an eye out for any scamming, phishing or suspicious activity and will report them to the group so we can take necessary action.
We try our best to educate people about scams, helping them to detect and avoid the ones we know of, and teaching them what to look out for. We are very active on Twitter, consistently showcasing any suspicious or malicious activity going around.
Users also have a role to play in defending themselves and the wider community against phishing.
In the end, you and only you are responsible for your security. This may be a daunting prospect, as we have all relied so heavily on financial institutions to look after our funds, our passwords and private information.
If we make mistakes with our bank accounts, like transferring funds to the wrong account or forgetting our pin number, banks are usually able to rectify the situation with a proof of identity. But if you make an error in the crypto world, such as losing your Private Key or making a typo in a wallet address when sending funds, it’s almost impossible to reverse. This is the price of true economic freedom.
What makes decentralization and blockchain technology so exceptional is that you don’t have to rely on your bank, government or any third party. You are in total control of your finances. As we can all learn from the Spiderman comics (or Voltaire, depending on your preference for literary history), “with great power there must also come great responsibility”.
Educating yourself is the best defense AND offense against scams and malicious sites. So, here are three key things users can do to help keep their funds safe and help us defeat phishing:
1. Arm yourself
In order to defend yourself properly against phishers, make sure you are taking every precaution possible BEFORE creating a wallet and transferring funds so you are the least vulnerable as possible.
When creating a cryptocurrency wallet you should do it offline so that your Public and Private Keys are generated without an internet connection. You can write these Keys down on a piece of paper and store it safely, or save the keystore file version on an external USB. This is called a cold storage wallet. This will help keep your information safe from hackers as it is ‘out of reach’ if it is not available to steal from a web-connected computer.
When using an online wallet platform to send funds, make sure to turn on 2FA (two-factor authentication). It is recommended that users sending and receiving ETH install a wallet extension on their browsers, such as EAL, MetaMask, Cryptonite or MyEtherWallet. This will prevent users from accidentally accessing phishing links.
We are also strong believers in storing your crypto on a hardware wallet, because this offers security and support, is more durable than a piece of paper, and your Keys can be recovered if lost.
Installing an AdBlocker will also be useful as some aggressive scams can be filtered out. Try uBlock Orgin. Regardless, do not click any ads related to cryptocurrency in general, as it is extremely unlikely they are genuine promotions. If you are already using Adblock Plus, it does not hide Google Ads from you. Go into your Adblock Plus settings and uncheck the box that says “Allow some non-intrusive advertising”.
2. Assume bad faith
Adopt a mindset where everyone is trying to scam you. Always make sure you are on the correct website by checking the spelling closely and looking at the URL bar to make sure it has the green Secure, SSL or Inc verification to its left. Never click on a link to access a wallet’s website – always type it in, then bookmark it and use this bookmark only.
In general, you should do some investigating and thorough research before visiting or giving any site your personal information or access to your Public and Private Keys. Google them, check their social media presence, search for threads on Reddit.
Triple check any wallet address before sending cryptocurrencies to it. With Ethereum, you can verify the addresses on etherscan.io by typing them into the search bar (top right) and click on the comments tab above their transaction history. If there are concerned or angry people commenting about this particular address, it would be wise to stay away. For Bitcoin, you can check any address’ entire history on blockchain.info, including its balance.
Never trust any email or message sent to you at face value! Ask yourself why someone is emailing you or messaging you if it involves any kind of financial transaction. We will never email you– unless you’ve contacted us first.
To keep up the fight against phishing, we need our amazing community to support and educate each other. This is an ongoing battle that requires us all to stick together. Please spread the word about any sites you know to be scams, and make sure to report any and all malicious links.
If you see a link to a malicious URL or fake Token Sale address, comment about it in #general on our Twitter, Reddit and Slack channels. Warn people swiftly and LOUDLY.
Let Google know if you encounter any phishing sites or badware. Use this link for anything specific to Ethereum. If you stumble upon or are led to a site that is phishing an online wallet platform you use, let the genuine site creators know. For example, if you’re a user of MEW, you can add malicious non-URLs here so we can list them and warn everyone.
Teach a person to anti-phish…
We may never truly defeat phishing, but we can try our best to protect our crypto community by becoming informed and proactive members of it. Let’s fight the forces of evil together – it’s our only shot at ending all of this phish-y business.