Cryptocurrency exchanges have become a central hacking spot for most of the money stealing hackers.
Less than a month ago, there was a successful hacking attempt on BTER, in which over 51 million NXT coins were stolen. Even before BTER, many cryptocurrency exchanges have faced similar security breaches – the most famous being Mt. Gox which ultimately became the cause of its demise.
The latest to join the list of these exchanges is BitPay which was recently targeted by a bunch of amateur hackers. However, no coin was reported stolen as the hackers were relying on the highly detected method called “phishing”, but it still made the exchange to come out in open and instruct its customers not to fall under such scams.
As it was the second similar attempt, the BitPay wants to inform users about phishing websites. As known to almost every internet junkie, phishing is one of the most common methods to steal information, ranging from user passwords to credit card details.
This sort of attack takes place when a webpage wrongfully imitates another webpage in order to steal information (or money) from the unware users. Basically, the success of such hacking attempts relies solely on the alertness of users.
“There has been an email phishing attempt spoofing BitPay’s late payment notification email,” said the representative. “As always, BitPay’s security is the main priority. There has not been a breach to our system. It’s very unfortunate that these malicious attacks have been made on the bitcoin community.”
Here is the copy of the phishing page:
As you can see the image, there is an email address mentioned, [email protected] The BitPay’s representative has clearly instructed the customers to ignore clicking on the link. It is not a legitimate BitPay email address. The real email address which sends system mails to customers is [email protected], lacking an underscore. He later added:
“To stay vigilant and avoid any breaches, always look for the green BitPay, Inc. SSL certificate indicator in the browser window. Always be extra cautious about checking the domain name and EV SSL certificate when entering a password.
If you use a personal computer with good password protection, let your browser store and populate user ids and passwords for you – the browser will not mistakenly enter your password on a phishing site. BitPay also strongly advises all of its merchants to enable Two-Factor Authentication on their accounts.”
JP Morgan Chase Customers Were Targeted Last Week
Last week a significant phishing attack was launched against customers of JP Morgan Chase, as detected by cybersecurity firm Proofpoint and reported by Reuters. As is typical of such attacks, an email impersonating the bank asked recipients of the phishing email to click a link that directed them to a phony bank website operated by the crooks perpetrating the scheme.
The attack included some new technical elements – if a user clicked the link the attackers not only tried to grab credentials to JP Morgan Chase’s systems via the phony login page, but also attempted to install malware that could lead to breaches at other institutions. That said, the basic attack delivery technique remained the same as it has been for many years: Criminals sent a message that looks like it is from a legitimate business and tricked users into clicking a link.
Why is phishing – an attack method that has been around for over a decade – still successful? Why are people still falling prey to such a simple scam? Why are you at risk?
The answer is simple, but, perhaps, a bit painful:
We’ve been focusing on technology, rather than on people. And when we do focus on people we do it wrong.
Phishing, and other spam-related attacks, do not exploit technical vulnerabilities, they leverage a technological medium to exploit human weaknesses. The difference is significant – and game changing. While technical weaknesses can often be addressed with technical solutions, curbing phishing and related scams mandates addressing the underlying human problem at their core — an issue has nothing to do with the digital age; deceptive actors impersonating legitimate parties have been conning people since the dawn of civilization.
In fact, a primary reason why phishing continues to be an effective method of attack – even after a decade of anti-phishing efforts – is precisely because anti-phishing technologies are often designed to combat phishing by implementing technical “solutions” rather than addressing the human source of the problem.
Technical countermeasures can be circumvented, and if a human target is not otherwise shielded, problems occur. Software that attempts to block or erase phishing emails before a user reads them, for example, does nothing if a user is directed to a rogue website via a text message, and may, at times, even aggravate the problem by lowering a person’s guard when a cleverly constructed email does reach the user; the recipient thinks that illegitimate emails are blocked, and, therefore, grants unwarranted trust to messages that he or she does receive.
Oft-repeated advice to counter phishing is to educate customers about the dangers associated with clicking on links in unsolicited e-mails or opening unsolicited attachments. While such a recommendation might, in theory, help, the fact that phishing is still a problem after many years of people preaching about the value of education clarifies beyond a doubt that education is, at best, a partial solution.
Fundamentally, the problem is that while technology improves rapidly, the human mind takes many years to adapt and evolve. That’s why over time we find criminals increasingly focusing on tricking users rather than on exploiting strictly technical vulnerabilities.
As I have said previously: The best way to protect people against phishing is to enable humans to distinguish legitimate entities from fraudulent ones, regardless of how the phishing solicitation reaches them.
This can be achieved by leveraging real, psychologically-sound site authentication and the human response mechanism behind it, but not by implementing complicated technologies that can, at best, only deliver partial success, and, which, at worst, may condition users to fall prey to even more scams than they would have without the technology in place.
Ultimately, cybsersecurity is not about technology. It is about keeping people safe in an increasingly electronic world. When we need to protect humans against making mistakes, we need to apply knowledge of humans, not an understanding of electronics. The importance of such an approach is not limited to combating phishing; it is needed throughout the field of information security.
Shira Rubinoff, was a psychologist before entering the information security space a decade ago. While she may have been a pioneer in making such a transition, and has been recognized in the industry for her relevant contributions to the information security field, there remains a severe lack of information security practitioners with similar human-related skills. If we are going to successfully curb attacks that exploit human weaknesses we will need the wisdom and contributions of many more experts on human behavior.
After all, which do you think will work better and at a greater scale – educating employees and customers for the umpteenth time about the dangers associated with clicking links, deploying the umpteenth generation of email filtering software, or actually helping people easier understand when a certain action is dangerous?