Crypto Phishing Explained — 4 Ways You Could Lose Your Cryptocurrencies to Phishing

With the recent surge in phishing within the crypto-community, we at CoinMall have decided to raise awareness on how phishing works and what simple steps you can take to prevent yourself from being a victim to phishing.

1. Email Phishing

Phishing through email is probably one of the oldest phishing methods around on the internet. The phisher obtains your email by either extracting it from a Slack channel or by obtaining crypto-related site databases. The first advice is therefore to have a separate email address and password for non-essential services such as chat services, forums and news portals.

A Coinbase phishing email. There are two things to look at in this image.

1) Sender email. Most phishers are unable to spoof the actual domain name of the service they’re using to phish with. In this case, you can see that the senders have cleverly registered coinbase.help (it should be coinbase.com) to make their phishing email seem more legitimate. Always look at the sender email when receiving a suspicious email and double-check the domain and its extension to be the legitimate one.

2) The call-to-action (CTA). Phishers want to create fear and uncertainty with their email. In this case they do so by warning you of what seems to be an unauthorized transfer and then request you to follow a link by following the CTA ‘Cancel the transaction’. Once you click on the CTA you’ll be redirected to the phishing site where you’ll be requested to enter your sensitive details. Once you do so, the phishers will use them to steal your cryptocurrencies. Never click the CTA, but instead directly go to the legitimate website URL and login via there to check your account status and its transaction history.

2. (Google) Ads Phishing

A more recent phenomenon of phishing is done by abusing search engine ad networks such as Google Ads to display phishing sites and fool users into clicking the phishing site.

A search query for ‘blockchain’ shows that the top results are ads.

The first ad links to blockchalin.info (notice the extra L), which can easily be confused for the legitimate URL. Again, once you click on it and fill in your info, the page will steal your sensitive credentials and send them to the phishers who’ll steal your cryptocurrencies. Our advice is as follows: download an ad-blocker to hide such ads on your search engine (we recommend uBlock Origin) and always double-check if you’re on the correct site by checking its URL and SSL certificate.

3. Chat phishing

Even more recent is the well-known wave of phishing done on Slack channels and other chat platforms such as WhatsApp, Skype and Telegram. On Slack, this is usually done either by using the standard slackbot or fake accounts (bots) who mass-DM users within a Slack group.

Similar to email phishing, Slack phishing is often done by sending a message which causes fear and uncertainty, prompting you to click on the CTA.

In the above image you see that the standard slackbot sends you a phishing message with a seemingly legitimate URL (myetherwallet.com) which in fact refers to a phishing URL (suncontract.su). Our advice therefore is similar to the previous advice we have given: always double-check the URL and don’t click on links sent to you by people you do not know.

4. Unconventional Methods: SMS & targeted Social Engineering attacks.

The above three ways have one thing in common, namely the fact that they indiscriminately target a massive number of users. None of them will have any actual identifying information (such as your name, address or the like) and are a one-size-fits-all way of phishing, therefore not effective for a majority of users. There is however the possibility of falling victim to a targeted and more effective way of phishing you should be aware of.

This is a spoofed SMS sent to a personal phone number. Seemingly legitimate, the SMS is actually from a phisher looking to steal cryptocurrencies.

If we look at the above image, it may look as if it’s a real message sent by Coinbase. The name of the sender is Coinbase, and you’re greeted with your real name. Who else aside from Coinbase would know your real name, number and the fact that you have a Coinbase account?

This is a good example of a targeted Social Engineering attack. If your details have been breached or are publicly available, and it is known that you hold a large sum of money on exchanges and online wallets, then you should be cautious of such attacks. Targeted Social Engineering attacks often consist of: spoofed SMS messages with your real name, legitimately-looking emails (again with your real name and account details), legitimately-looking websites with an SSL certificate and even phone calls by a seemingly legitimate employee.

Our advice for if/when you receive such emails, SMS’s, phone calls and the like: do not proceed under any circumstance. Instead, directly contact the company you’re dealing with by either calling them on their publicly available phone number, through Social Media such as Twitter, Reddit or Facebook or open a ticket through their helpdesk.

This post is far from comprehensive and does not include all the types of attacks in existence such as sim-swapping (https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac), viruses which change addresses in your clipboard or falling victim to a RAT/keylogger.

We therefore highly advise you to read up about OPSec and what you can do to prevent compromising your devices. For starters, an anti-malware program such as Malwarebytes is highly recommended.

- The CoinMall Team