Phishing attacks have become increasingly sophisticated. Today, a growing number of crypto users are falling victims to phishing attacks.
The team at crypto wallet Trezor recently decided to investigate the issue. Trezor published the results of its study in a blog post. The results provide an interesting look into how today’s most advanced phishing attacks are being used to steal crypto fortunes around the world.
Phishing Attacks Rely on Human Judgement
First, it’s important to note that phishing attacks rely on human judgement and perception.
You might get an email from a crypto exchange you use claiming that your account has been compromised. You click the link to reset your password, then enter your username into the following form. Within seconds, your password has been extracted and you’re the victim of a phishing attack.
Making matters worse is that you may not even realize your mistake until it’s too late: you might assume there’s no problem until you check your crypto wallets months later.
Using these strategies, phishing attacks can steal your credit card numbers, Social Security Number, passwords, usernames, and other sensitive information you input online.
Phishing Attacks Can Target Virtually Device
Phishing attacks aren’t limited to computers or smartphones. Phishing attacks can occur against your internet browser or software wallet. Today, most crypto-focused phishing attacks target software wallets and internet browsers.
Trezor recommends (obviously) using its hardware wallet to limit the power of phishing attacks.
“Your Trezor device, however, stays offline and is isolated from these attempts to misdirect you.”
That’s why Trezor recommends trusting your device – not your software or internet-connected device.
Top 5 Techniques Used by Today’s Phishing Attacks
The Trezor blog post goes on to highlight the most common techniques used by today’s phishing attacks, including all of the following:
Trezor describes this attack as “one of the fastest to carry out and technologically simplest to implement.” With the impersonation technique, the attacker impersonates someone else – like a sales rep, a customer service agent, a friend, or a boss. Under that assumed personality, the attacker tries to lure the victim into giving out sensitive information.
Sometimes, the impersonation technique involves a spoofed website, spoofed phone communication, or fake emails that appear to be from a legitimate organization.
Trezor claims some phishing attacks claim to be from Trezor. An attacker will impersonate a Trezor sales rep or customer service agent, for example, and demand information from the victim.
A DNS poisoning phishing attack takes advantage of the Domain Name System (DNS) system, sending the visitor off in the wrong direction. It makes a site appear offline when in reality the website is perfectly fine. The attacker may redirect users to a server that the attacker controls.
The best way to avoid DNS poisoning is to look for an invalid SSL certificate. All legitimate websites (particularly crypto exchanges) have a valid SSL certificate.
BGP hijacking works in a similar way to DNS poisoning. With BGP hijacking, an attacker takes control of a group of IP prefixes assigned to a potential victim.
Just like with DNS poisoning, BGP hijacking can be spotted by looking for invalid SSL certificates.
Unicode Domain Phishing
The Unicode domain phishing attack, or IDN homograph attack, relies on the fact that popular browsers show Unicode characters in domain names as ordinary characters.
Someone can therefore create a domain using a Unicode character that looks like a normal website. They could create Facebook.com where the second “o” is a Unicode character, for example. You don’t notice it until you’ve already typed in your Facebook username and password.
Cybersquatting is the practice of phishing attackers registering a domain name that they anticipate will be used in the future. Someone might register a domain name for NikeShoes.com, for example, even though they have no association with Nike.
In the crypto world, someone could register a domain that appears to be the legitimate domain for an exchange – say, BinanceExchange.com. You might confuse this with Binance.com.
The Best Tips for Avoiding Phishing Attacks in the Crypto World
Trezor followed up their blog post with an explanation of how to avoid phishing attacks inside and outside the crypto world. Here are some of Trezor’s recommendations:
- Trust your device – not your software. Look for on-screen confirmation on the device, especially when making transactions or using your recovery seed.
- Make sure the URL for your cryptocurrency exchange or wallet provider exactly matches the official website. Consider bookmarking your most-used crypto websites to avoid any confusion.
- Never give your recovery seed to anyone, even someone who claims to be a tech support agent from the exchange or wallet provider.
- Use updated security software and install the latest security patches.
- Pay close attention to shortened links, particularly on social media. Shortened links can easily hide a malicious domain.
By following the tips above, you can avoid the vast majority of phishing attacks. Hold onto your cryptocurrency fortunes and avoid crypto phishing attacks today.