ICO protection: Key threats, attack tools and safeguards

Group-IB has analyzed the basic information security risks for the cryptoindustry and compiled a rating of key threats to an ICO (initial coin offering).

On average, over 100 attacks are conducted on one ICO, and criminals are increasingly using modified Trojans that were previously used for thefts from banks, as well as targeted attacks with a view to compromise secret keys and secure control over accounts.

Ranking threats

While summing up a year of protecting projects with cryptocurrencies, Group-IB experts compiled a rating of the most dangerous threats to the industry.

1. Phishing. This type of fraud is still the most dangerous threat, and it accounts for over 50% of all money stolen. Criminals build complex multistep schemes involving all possible channels of influence on the community. This market is now interesting to criminals who only yesterday monetized their illegal activities with banking Trojans and are now updating their tools to focus on cryptocurrencies. They threaten not only ICO projects, but also traders, crypto enthusiasts and cryptocurrency owners.

2. Defacements or targeted attacks. Errors in the configuration of web application servers, compromise of hosting passwords or the use of vulnerable software are the most common reasons hacking occurs. Attackers replace the addresses of wallets used for fundraising. In contrast to phishing, such attacks use real project addresses with fake wallet addresses. For instance, investment portfolio management platform CoinDash lost about $7,500,000 in the first 3 minutes of its ICO start after its website was hacked.

3. ‘Social-vector’ attacks. This category includes attacks on project members and stealing coins from community members via social networks, thematic forums and media resources. In the final months of 2017 and early 2018, experts recorded an outbreak of fraud on social media, where criminals use well-known social engineering techniques (messages from “security teams of cryptocurrency services,” notifications of prizes in coins, invitations to take part in important community activities, etc.). Researchers note increased criminal interest in ICOs that have not been announced yet, but have ‘hype potential’ (the most obvious example is the expected ICO of Telegram).

Attack tools

“Throughout last year, we saw examples of adaptation of hacker tools to the crypto industry,” commented Ilya Obushenko, security analyst at Group-IB. “The banking Trojan TrickBot obtained additional modules for stealing money from accounts in Coinbase as early as in August 2017. Features for attacks on cryptowallets have also been added to another banking Trojan – Tinba. CryptoShuffler replaces wallet addresses in the i/o buffer, Quant Trojan provides attackers with information about access to cryptowallets found in user devices, and an Android bot called Red Alert replaces authorization pages of exchange websites and cloud wallets in victims’ browsers.”

What should startups prepare for in 2018

The number and frequency of attacks on cryptocurrency projects (exchanges, wallets, funds) will grow. Based on data from internal projects and a study of international practices, Group-IB staff forecast the following threats to the sector:

• Phishing schemes with the use of crypto-currency brands will become more complex. The quality in preparation and sophistication of phishing attacks will also grow, the automation of phishing and using of ready-made phishing kits for attacks on ICOs will become more and more widespread.
• Social vectors for attacks will develop. Hackers will set their sights on the founders, members of projects teams and communities.
• The number of coin thefts will increase. Market participants announcing cryptocurrency trading are already being shortlisted by criminals. Various forms of fraud on social media, focused on cryptocurrency owners and allegedly implemented on behalf of platform developers, are gaining momentum.
• Android Trojans will attack cryptocurrency owners. The techniques used to identify and gain access to cryptowallet owners will be identical to those used for cyberattacks on bank accounts. Hackers will increasingly adapt banking Android Trojans.