Initial coin offerings (ICOs) have been just as much a boon for crooks as they have been for investors.
Like clockwork, after a high-profile ICO is announced, cyber-criminals hatch a scheme to trick excited retail investors to send their ether or bitcoin to a phoney address. The industry largely reacts to phishing attacks by taking to social media to voice their frustration over how much of a particular cryptocurrency they lost.
And because the industry is so new and opaque, and individuals’ delusions of savviness make people collectively gullible, the instances of successful scams are unlikely to diminish.
In addition, as more and more token sales limit the number of people that can invest in the public sales, supporters are eager to find backdoors into ICOs, which can put them at risk of not thinking an offer through.
“If you expect to have a high-profile campaign, you should expect to be a target,” said Paul Walsh, CEO of Metacert, which offers a free Chrome extension that ICO investors can use to protect themselves.
In fact, NuCypher, a proxy re-encryption project that recently launched an ICO too, which piqued the interest of many investors, has dealt with repeated phishing attempts. And each time the company detects a phishing campaign, it warns its community what to look for via its email list.
The most recent attack came over Slack, in messages delivered via slackbots, indicating an ethereum address to send ether funds to, (supposedly) in return for NuCypher tokens. In its response, NuCypher reminded investors that it would never use Slack to request investment.
Yet, some people got burned, and with that, the larger crypto community suffers every time a phishing scam succeeds.
Walsh told CoinDesk:
“Once investors get their fingers burnt, they are more likely to tell people: don’t do this. Then fewer people are going to invest in cryptocurrency.”
In an effort to eliminate that issue, NuCypher has taken an approach which focuses on communication and education that many other ICO issuers and the investors interested in these rounds could learn from.
But this isn’t the only way to stay safe in such a wild market. There’s a lot investors can do to protect themselves, but really, no one can do as much as the team running the ICO.
Perhaps the most important strategy for issuers is emphasizing only one communication channel where sale news will take place.
When messaging app provider Kik launched Kin, for instance, the company made it clear that all information about buying its tokens would be on, and only on, its token sale site. Even if Kik sent an update in an email or through a social channel, the update always directed readers back to the site for how to take action.
This is a particularly beneficial approach since if critical information such as wallet addresses are broadcasted via the website, it’s much harder for a fraudster to change the website than it is to send a convincing email.
Not only that, but entrepreneurs and companies that plan on, or are rumored to be running, token sales should state publicly their intentions as quickly as possible.
The problems with not being open are displayed with the Telegram ICO. Because the mobile messaging company has barely communicated with the public about the ICO, scammers can take advantage of that knowledge gap and set up fake sites pretending to offer the tokens.
Case in point, investors have taken to Twitter to complain about getting swindled by fake Telegram token sites; one disgruntled individual tweeted that he had put four ether into a site hoping to buy Telegram tokens.
Telegram’s CEO has responded to a few questions about specific URLs and the company has created a Telegram channel for reporting scam sites, but it would be far better just to be upfront about what’s going on.
Another area where issuers can lessen the chances of fraud is in their marketing, by toning down the urgency of calls to buy tokens, although this might seem counter-intuitive to many.
When a marketing team announces that there will be brief periods of special discounts, it puts a group of potential investors on a hair trigger. They know these things sell out quickly, so they need to act fast if they want to get in. In this way, investors might be tricked into following phoney links, as they act before thinking things through.
On the topic, Walsh said:
“It’s good to get enthusiasm around whatever it is you’re going to launch, but these teams need to be more mindful.”
Above all else, though, companies running ICOs need to be unequivocal about how they will communicate, so followers will know anything that doesn’t follow that format is bogus.
Much hacking these days is conducted through social engineering, not cloak-and-dagger coding.
Tricking employees into revealing critical information, or figuring out how to imitate the actual staff, are two ways attackers have had success with their scams.
In this way, issuers need to keep in mind that protecting the internal team from phishing is of utmost importance – especially as it relates to social media channels, where fraudsters can tweet out malicious links that, with access to authentic accounts, will look the real deal to investors.
PhishMe co-founder Aaron Higbee told CoinDesk that companies should “look at who inside the organization can tweet from these accounts,” or otherwise post from these accounts, and make sure they’re trained at spotting possible phishing attempts.
PhishMe provides automated, ongoing training for companies that help them to increase awareness of techniques attackers use to trick company staff. The training, which is offered free to small- and medium-sized businesses, actually works inside staff inboxes, by sending them emails that should raise red flags.
And Metacert offers a product that monitors a team’s internal channels on an ongoing basis and deletes malicious messages before anyone has a chance to see them.
Beyond that, Walsh contends executives and other high-profile individuals at a firm should not have root access to any data or systems since most attackers can not only find information on that person to social engineer them, but also these execs are seen as very high value to an attacker.
Community management staff should also be trained on how to spot phishing attempts and what kind of questions indicate that supporters might be getting phished on another channel. For example, Kik found that attackers would represent themselves as moderators in Slack channels. As such, the genuine moderators should watch for this and other suspicious behavior.
And, last but not least, an ICO issuer needs to make sure their web host keeps security top of mind. That’s primarily because ICO issuers choose their web host before the sale’s site goes live, giving attackers the same amount of time to try and infiltrate the system in order to put a fake front page with their own wallet address on the site when it goes live.
Even if such digital graffiti only stays up for 20 minutes, a lot of money could be lost with the rush to purchase that many ICOs inspire.
With all this, ICO issuers need to start thinking about internal security from day one, because while the projects’ founders are focused on the product, scammers know millions of dollars will eventually flow to that product and will move early and wait for their chance to strike.
With this in mind, documents should be shredded so that scammers can’t use those to make their attacks look more authentic.
Plus, all employees should use two-factor authentication (2FA) everywhere and try very hard not use SMS-based 2FA, since it is less secure than using apps like Authy, 1Password or Google Authenticator. On top of that, with any mobile device used for 2FA, extra precautions should be put in place so that any changes are subject to higher security checks.
For instance, Walsh said he knows of some projects that keep a burner phone locked in a drawer and used solely for 2FA.
Not only mobile devices, but also email lists should be correctly protected.
If an attacker manages to get a hold of the list of people who have expressed interest in an ICO, the scam is 90 percent of the way to succeeding because that group is the most likely to fall for a phishing attempt as it’s already interested and the source seems genuine.
If a company is using an email or newsletter third party, like MailChimp or ConstantContact, to maintain such lists, it should opt into the highest level of security for accessing those accounts.
Walsh even added that the most thoughtful of companies might go a step further and eschew HTML emails for pure text emails. While text emails may lose some marketing prowess, they are more secure for recipients as recipients can actually see the link the email asks them to click, whereas HTML formats can hide malicious links.
Another option for ICO projects is to hire “white hat” hackers to try and beat the security systems token issuers put in place, so vulnerabilities can be found and fixed before a real attacker strikes.
Furthermore, issuers could stand to be more open with the public and potential investors about the security procedures they are using so investors can make educated judgements about which projects they want to support.
In that regard, MacLane Wilkinson of NuCypher told CoinDesk:
“Ultimately, there’s no way to prevent phishing attacks, so the most important thing you can do is education. You need to start early by explaining to your community what phishing attacks are and preparing them in advance.”