Cyrptocurrency scams are on the rise impacting businesses and workers. Be aware of the latest tactics and learn ways to protect yourself and your company.
Cryptocurrency is one of the newest technology fads with an entire ecosystem of startups, financial institutions, and influencers hoping to get more people into the gold rush that Bitcoin and its associated coins has become. A decade ago, Bitcoin was essentially worthless. Now, it’s currently valued around $55,000 per Bitcoin. It’s not hard to see why everyone is excited about it.
However, with every new technology comes new risks… or more accurately, how old risks adapt to use new technology to increase the size and scope of criminal campaigns and cryptocurrency is no different. Many previous forms of cybercrime have adopted cryptocurrency. And many new campaigns are looking at ways to steal cryptocurrency from victims.
Ransomware, quite literally, may never have become a thing if it were not for ransomware attacks. In 2013, Cryptolocker became the world’s first successful modern ransomware campaign. The attackers managed to get the encryption and key management aspects of ransomware to work effectively as previous efforts had failed. It also introduced several forms of “new currency” as accepted ransom payments: cryptocurrency and prepaid cards. Eventually the prepaid cards fell to the wayside as a not scalable way to collect payments.
During the Cryptolocker campaign, the price of Bitcoin rose from $300 to $1000. The campaign attracted attention (albeit due to ransom payouts) exposing new ways to leverage crypto-related attacks. Since then, the increase of crypto activities has set the monetary value on a trajectory to breakthrough heights.
If there’s a need to move money across national boundaries in a way that is resistant to government interference, cryptocurrency is really the only game in town. There’s a reason terrorist groups and nations heavily subjected to sanction regimes (such as North Korea) have turned to cryptocurrency as well.
A particular risk in cryptocurrency is if an organization is in the unenviable position of having to pay a ransom. Regulatory agencies are paying closer attention and there is political pressure to prevent victims from paying ransoms. This leads organizations to work directly with cyber insurance companies and incident response firms to insure all payments are made to minimize business risk and brand damage.
Other criminal campaigns leverage ransomware techniques. One of the most prolific is crypto mining or cryptojacking, where attackers use victim machines to mine cryptocurrency. Often attackers have more machines in their botnets that they can use at any given time. A recent arrest of a botnet operator had over 100,000 infected machines launching DDOS attacks, brute-force attacks on user account passwords and network scans for vulnerabilities to exploit them.
As the price of stolen credit cards have decreased in dark net marketplaces, criminals are turning to new ways to monetize and passively mine cryptocurrency (often Monero). While this isn’t highly lucrative (on consumer or commodity hardware), there’s opportunity for higher payouts later. If a machine mined $1 of cryptocurrency a month, the botnet would be netting $100,000 a month (refer to example above). This is mostly an annoyance, yet it involves a compromised machine that can be repurposed later at the attacker’s discretion.
With the hype around cryptocurrency, even conventional scammers are trying to cash in. There are fake cryptocurrency trading sites looking for ways to steal your money. The trail of fake cryptocurrency or ICO (initial coin offering) scams are gaining steam with no signs of slowing.
Even romance scams are looking to capitalize by leveraging cryptocurrency. “Love comes with a hefty price” rings true in so many heart-breaking ways. Unfortunately, there’s no one to tell you “it’s a bad idea” or “to be aware” when it comes to using cryptocurrency and related scams.
While romance scams and conventional scams might not, at first glance, seem like a concern for businesses, high-value employees who fall victim may also face blackmail risk and be coerced into becoming insider threats. The instance of scams turning into extortion is more frequent than commonly known, such as a recent extortion attempt against the head of the Illinois State Board of Elections.
So to avoid the crypto-based scams, organizations and users need to be hyper aware of activities that look suspicious and take major precautions. Here are several best practices to consider:
- Anyone involved in cryptocurrency should stick to the mainstream exchanges.
- Be wary of new forms of cryptocurrency or get-rich-quick schemes.
- Be leery of representatives that they’ve not physically met requesting cryptocurrency.
- Anyone trading cryptocurrency during the day or on company devices may also be subjecting the organization to security risk. Daily malicious attempts and phishing sites look to victimize those individuals capitalizing on the cryptocurrency gold rush.
- Investigate digital cryptocurrency companies and startups to confirm they have a solid business track record and that they’re block-chain powered which tracks detailed transaction data.
- Make sure the cryptocurrency application is authentic and trusted. Many fake mobile applications trick users thinking the payment site is legitimate.
- When buying and trading with cryptocurrency, watch out for Ponzi scheme trading. The lure of profits through fictitious investments in trading or mining cryptocurrency are fronts for fraud activities.
Cybersecurity Awareness Month, #BeCyberSmart