Cointime

Download App
iOS & Android

A Tentative Study in Social Engineering Attacks in Blockchain Ecosystem

Validated Project

Introduction

Recently, a number of users in the blockchain ecosystem have discovered that their Telegram accounts have been stolen. In some of these incidents, the victims were informed by their contacts, while others were discovered by the victims themselves.

The modus operandi in all these cases was to hack into individual accounts by stealing information from Telegram accounts and then send false messages to the victims by impersonating their contacts or attacking their contacts with the victim's account.

Using social media platforms or applications to launch attacks are reported from time to time. However, in the past, hackers often used Twitter or Discord rather than Telegram.

This shows that the trend of using social accounts to carry out attacks is growing rapidly and the scope of the attacks is expanding rapidly.

The Fairyproof research team believes that this trend and problem deserves the attention and vigilance of the entire ecosystem. In view of this, the Fairyproof research team has summarized and analyzed these attacks based on the various characteristics of hackers using social accounts, and would like to share our findings with our peers and users in the ecosystem.

Full Article

When it comes to security incidents in the blockchain ecosystem, many users usually think that most of hackers' attacks are on smart contracts, especially on DeFi-type contracts. Because these projects often have a large amount of crypto assets locked up in their smart contracts, by attacking these smart contracts, hackers can directly prey on the crypto assets within them.

However, this approach requires a high level of skill and a significant technical threshold, as the hacker needs to be proficient in smart contracts and find vulnerabilities in them in order to find the point of attack and launch the attack. It is therefore only suitable for a small group of hackers known as "scientists".

However, hackers will not easily "give up" in the face of the huge market value of crypto assets and the lucrative benefits of illegal operations. As a result, in addition to this high threshold attack, an increasing number of unskilled criminals are seeking to use social networking software commonly used by the crypto community to steal account information for fraudulent purposes and to steal the assets of crypto asset holders.

We refer to this type of attack as a broad social account attack (or "phishing attack", "social engineering attack", etc.) [1].

I What is a social account attack

A social account attack is when a hacker

- Using social networking software (e.g. email, instant messenger, social media platforms, etc.) to commit fraud against a target user by inducing the target user to disclose their sensitive information in order to steal their assets or by tricking the target user into actively transferring the assets they hold.

- Or by implanting a Trojan horse into the target user's device, hacking into his or her social accounts, stealing his or her social information and using the account to defraud the target user's associated social contacts to obtain his or her assets.

According to Fairyproof 2022 Blockchain Ecosecurity Annual Report, which counted 378 typical security incidents, there were 123 cases of attacks using social media, accounting for 32.54% of the total, which is comparable to the number of hacker attacks on smart contracts (143 cases)[2].

This shows that the use of social platforms/tools to carry out attacks has become an issue that every user in the blockchain ecosystem security must pay high attention to.

This paper attempts to explore and summarize the common methods of attack on social media and defensive measures used by hackers in the blockchain ecosystem, exploring five dimensions: common social platforms/tools, users using social platforms/tools, key points where social platforms/tools are used for attacks, dangerous operations that lead to the loss of assets by users, and preventive measures against attacks.

II Social platforms/tools commonly used in the blockchain ecosystem

In the blockchain ecosystem, people usually choose different social platforms/tools with different characteristics depending on their needs.

A common social platform used for extensive business outreach and first-hand information is Twitter [3].

Discord[4] is a popular social networking tool used to bring communities together, motivate community members and facilitate interaction between project owners and the community.

To protect privacy and facilitate communication and negotiation, Telegram [5] is the main instant messaging software used.

The above three are the most commonly used social platforms/tools in the blockchain ecosystem. Apart from these, other social tools such as WeChat [6], WhatsApp [7], Facebook [8] and Instagram [9] are also used by some projects, but not nearly as frequently as the above three tools. Therefore, the exploration in this paper mainly focuses on the above three social platforms/tools.

III Users who use social platforms/tools

In the blockchain ecosystem, we have broadly divided users of social platforms/tools into three categories according to the purpose of their use of social platforms/tools.

- Project side: These are users who are project operators or crypto asset issuers in the ecosystem. They usually issue various types of tokens themselves or have them locked in the project contracts they operate. These are usually ERC-20 tokens[10], ERC-721 tokens[11] or ERC-1155 tokens[12], etc.

These users use social platforms/tools mainly for the purpose of posting updates on their operational projects or updates on their issued tokens.

- Crypto asset investors or project users: These are users who may conduct on-chain transactions or interact with (the project's) smart contracts. They usually buy various types of tokens issued by the project, trade tokens or interact with the contracts of the project run by the project.

These users use social platforms/tools mainly to get the latest news on the issuance of various types of tokens, the latest news on contract deployment interactions, the latest news on token trading and to share information about themselves.

- Blockchain Industry Practitioners: This category of users are those who work in the blockchain industry and are involved in the day-to-day aspects of the business such as operations and maintenance, commerce and development.

This category covers a wide range of users who do not necessarily invest in or hold crypto assets, but whose work is directly related to the operation of crypto assets or blockchain projects and have extensive connections with their peers.

These users use social platforms/tools mainly for the purpose of accessing various types of information to facilitate their internal and external communication, work, etc. They have a wide range of contacts in the ecosystem, and they spread and exchange information.

IV Key points of social platforms/tools being used for attacks

In the blockchain ecosystem, various categories of users use social platforms/tools for different purposes and characteristics, which gives hackers the opportunity to make full use of these characteristics to target their targets and carry out attacks. The followings are the main scenarios.

- Exploiting the trust of crypto asset investors or project users in the project owner, the social platforms/tools used by the project owner are hijacked to launch attacks and place false messages to crypto asset investors or project users.

In this scenario, the main purpose of the social platform/tool used by the project owner is to distribute information, while the investor or project user is the direct consumer of such information. Under this interaction model, investors or project users generally have a psychological default belief that the information posted by the project owner in the social platform/tool is authentic and authoritative, and will follow the addresses, links, etc. given by the information species directly.

This default trust in the authenticity and authority of the information gives hackers an opportunity to take advantage of it. If a hacker steals the project owner's social accounts and posts links to malware, fake transfer addresses or fake token issuance links, investors or project users are likely to click on the links, transfer assets or buy fake tokens without thinking, based on this trust.

Cases of hackers using Twitter and Discord to launch attacks are particularly common in this type of attack, as these two platforms/tools are mostly used by project owners to post information.

Where it is the project owner's social accounts that are exploited, it is the crypto asset investor or project user who may lose crypto assets.

- Exploiting the strong desire of investors or project users to invest in or interact with a project and sending false project information directly to the target user

This type of attack occurs particularly often on the Twitter platform. This is because many opinion leaders or investment gurus in the blockchain ecosystem particularly like to visibly show their desire and quest for new projects and targets in their Twitter feeds.

Hackers take advantage of this desire to tweet publicly or privately about so-called "new projects" and leave links to these projects. These links can be links to malware, fake transfer addresses or fraudulent token-along offers.

If Twitter users see these messages and links and click on them without thinking or following the instructions, they are likely to fall prey to the hackers and lose their assets.

The hackers are using Twitter as a tool and the investors or project users are the ones who may lose their crypto assets.

These two types of attacks are the most common "phishing attacks" that we encounter in the blockchain ecosystem.

- Using the blockchain practitioner's extensive network of contacts to hijack their social platforms/tools and use them to send false information to the practitioner's contacts

The main use of social networking platforms/tools by blockchain practitioners is to interact and exchange information internally and externally. The most common tool used for this purpose is Telegram, which is therefore also used by hackers to attack such users.

In this type of attack, the hacker first steals the account of the targeted user by setting up a trick (e.g. by obtaining a login verification code, stealing a login key, etc.), then logs into the account and copies the correspondence of the social network he or she is messaging with, and then sends a fraudulent message to the targeted user posing as the social network (e.g. asking the targeted user to send encrypted assets to an address provided by the hacker, authorizing the hacker to steal the transactions of the encrypted assets, or to send a message to the target. clicking on a link to malware sent by the hacker, etc.)

Using this method, the hacker can impersonate all of the social connections on a Telegram user's contact list and attack the target user or even all of them.

This type of attack is much more lethal and stealthy, and less likely to be detected, as these connections have already established a stronger trust relationship with the Telegram user.

These types of attacks began to appear frequently in late January this year. It is worthwhile for all Telegram users to be on high alert.

V Dangerous actions that lead to loss of assets for the user

In any of the typical attacks listed above, the ultimate goal of the hacker is to exploit the user's trust and trick the user into following the links or instructions he is given, regardless of the method used to launch the attack. These actions will eventually lead to the loss of the user's encrypted assets.

The danger is therefore quite high. These dangerous actions usually include the following.

- The targeted user clicks on a link or scans a QR code from an unknown source, etc. This could lead to the user installing a Trojan horse in the environment of their crypto wallet, which could lead to the theft of their wallet key, or to the user being tricked into following up on an impostor project website (e.g. buying an impostor token), which could lead to the loss of crypto assets.

- The targeted user enters their wallet key or key in a dialog box or interface of unknown origin. This leads directly to the hacker taking control of the user's crypto wallet and thus transferring all crypto assets from the wallet.

- The target user clicks to authorize a transaction from an unknown source. This would give the hacker the right to transfer the crypto assets from the user's wallet at will.

VI Preventive measures against the attack

In view of the characteristics of the typical attacks listed above and the dangerous actions that lead to the loss of crypto assets, Fairyproof recommends the following precautions for all three types of users to avoid having their social accounts exploited by hackers on the one hand and losing their crypto assets on the other.

- Security recommendations for day-to-day operations

For project information, take multiple verifications (i.e. through multiple channels and platforms) to verify its authenticity.

Pay more attention to security information in the ecology and familiarize yourself with the features and precautions of new attacks and cases.

Be cautious of websites with odd URLs and stay highly alert to unfamiliar links and click on them with caution.

- Security advice for Twitter use

Keep your account information secure and do not share it publicly; set up multiple verification processes and verification information for your account; set up privacy and security options; handle private information with care; do not click on any suspicious links on Twitter and do not scan any suspicious QR codes.

- Security advice for using Discord

Same security tips as for Twitter; also set up permissions for message senders, block suspicious users, activate 2-Factor authentication, etc.

- Security advice for using Telegram

As social networking on Telegram is more private and relies more on trust, users should be careful not to share authentication codes and, in particular, to set up their own private information (e.g. don't disclose phone numbers, don't make private information visible, etc.) when using Telegram, in addition to the recommendations of Twitter and Discord. Also be vigilant about the behavior of your social contacts and use voice or other non-text communication to confirm any odd behavior immediately.

- Security advice for using crypto wallets

When we open a crypto wallet, do not under any circumstances enter your password or mnemonic on a suspicious screen.

For each transaction, read the signature message carefully before signing, check the authenticity of the website and other information in the signature message and compare it to the website you intended to access.

Refuse to sign transactions with ambiguous or oddly sourced addresses.

The advice on the secure use of wallets is not the focus of this article and is provided here only as a side note to the advice on the secure use of social platforms/tools and will not be elaborated upon.

The role of social platforms/tools in the blockchain ecosystem is to build trust between people, but the underlying technology and operational processes on which such trust relationships are based are open to various vulnerabilities and exploitation. Therefore, once people have built up trust based on these social platforms/tools, hackers can use them to commit fraud and attack with impunity once they have "stolen" this trust relationship by exploiting the loopholes in technology or operation.

All precautions against these frauds and attacks can be summarized in the following guidelines.

- Reduce psychological dependence on this relationship of trust.

- Use multiple technical means and more rigorous operational processes to challenge this trust relationship, thereby increasing the cost and raising the threshold for hacking, and ultimately protecting the project and protecting the asset.

References:

[1] Salahdine F, Kaabouch N. Social engineering attacks: A survey[J]. Future Internet, 2019, 11(4): 89.

[2] Fairyproof's Review Of 2022 Blockchain Security,

https://fairyproof.com/doc/Fairyproof's_Review_Of_2022_Blockchain_Security.pdf,January, 2023

[3] Twitter, https://twitter.com/home

[4] Discord, https://discord.com/

[5] Telegram, https://telegram.org/

[6] 微信, https://weixin.qq.com/

[7] WhatsApp, https://www.whatsapp.com/

[8] facebook, https://www.facebook.com/

[9] Instagram, https://www.instagram.com/

[10] ERC-20 Token Standard,

https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[11] ERC-721 Non-fungible Token Standard,

https://ethereum.org/en/developers/docs/standards/tokens/erc-721/

[12] ERC-1155 Multi Token Standard, https://eips.ethereum.org/EIPS/eip-1155

Comments

All Comments

Recommended for you

  • The Shenzhen Illegal Fund Raising Prevention Office issued a risk warning on the "DDO digital options" business

    The Shenzhen Office for Preventing and Dealing with Illegal Fundraising issued a risk warning regarding the "DDO digital option" business. The activities related to the DDO digital option business conducted in the name of Dingyifeng International are essentially the issuance and trading of virtual currencies. According to the "Notice on Further Preventing and Dealing with Risks of Speculation in Virtual Currency Trading" jointly issued by ten departments including the People's Bank of China in September 2021, it is clear that virtual currency-related business activities are illegal financial activities, and overseas virtual currency exchanges providing services to residents within China are also illegal financial activities. The activities conducted by Dingyifeng International in the name of serving residents within China are suspected of illegal fundraising and other illegal financial activities. Our office has organized relevant departments to carry out work, resolutely deal with illegal fundraising and criminal activities, and seriously investigate the legal responsibilities of relevant personnel. (Shenzhen Local Financial Supervision and Administration Bureau)

  • The Hong Kong Legislative Council plans to review the relevant stable currency consultation and sandbox legislation at the end of this year or next year

    Hong Kong legislator Wu Jiezhuang revealed that Hong Kong will release stablecoin consultation and sandbox (computer security mechanism), which will allow the industry to innovate digital asset projects in the sandbox environment. Relevant legislation will be reviewed in the Legislative Council at the end of this year or next year, which will help the entire digital asset industry ecosystem. Hong Kong has been improving the digital asset (virtual asset) market on different legal levels. Last year, there were regulations on virtual currency trading platforms and issuance systems.

  • Vitalik: Humanity needs to create a world where blockchain and artificial intelligence work together

    Vitalik Buterin, the founder of Ethereum, stated at BiddleAsia 2024 held at Signiel Seoul in the Songpa district on March 28 that artificial intelligence is a huge market and its importance is increasing day by day. We need to create a world where blockchain and artificial intelligence work together. Artificial intelligence can now create applications with 100 to 500 lines of code. Vitalik also stated that the ability to write 10,000 lines of code can eliminate most of the bugs in the Ethereum virtual machine.

  • South Korean RWA blockchain technology development company PARAMETA completed a new round of financing of approximately US$7.5 million

    South Korean RWA blockchain technology development company PARAMETA announced the completion of a new round of financing of KRW 9 billion (approximately $7.5 million), with Shinhan Hyperconnect Investment Fund under Shinhan Venture Investment and Korea Asset Investment & Securities participating. As of now, the company's total financing has reached KRW 25 billion (approximately $20.8 million). PARAMETA plans to use this investment to expand its own blockchain technology research and development capabilities to meet RWA technology needs and expand from core technologies such as engines/chains to service applications. Relevant services are expected to be launched within the year.

  • Incheon, South Korea launches blockchain hub city

    South Korea announced on the 28th that it will establish a blockchain technology innovation support center in the Songdo Michu Building in the second half of this year. Incheon was finally selected as a participant in the "2024 Regional Blockchain Technology Innovation Support Center Construction Project" jointly organized by the Korean Ministry of Science, ICT and Future Planning and the Korea Internet & Security Agency (KISA). Incheon is the third region to be selected after Busan and Daegu. In February last year, Incheon established a dedicated blockchain department and formulated a four-year plan to create a blockchain center city, which was promised by Incheon Mayor Liu Zhengfu. After being selected, Incheon will receive KRW 1.8 billion in government funding.

  • BTC breaks through $70,000

    The market shows that BTC has broken through $70,000 and is now reporting at $70,003.6. The intraday decline has reached 0.58%, and the market fluctuation is large. Please be prepared for risk control.

  • Base TVL exceeded US$3 billion, with an increase of 71.79% in the past 7 days

    According to the latest data from L2beat, supported by cryptocurrency exchange Coinbase, the total locked value (TVL) on the Base chain, a layer 2 solution for Ethereum, has surpassed $3 billion. At the time of writing, it has dropped to $2.99 billion, with a 7-day increase of 71.79%, reaching a new historical high.

  • Ethereum liquidity re-pledge agreement TVL exceeds US$7.4 billion, continuing to hit new highs

    According to DeFiLlama data, the total value locked (TVL) in Ethereum's liquidity re-staking protocol has reached a new high of $7.406 billion. The top five protocols ranked by TVL are:

  • Web3 gaming platform Elixir Games completes $14 million in seed round financing

    Web3 gaming platform Elixir Games has received a $14 million investment in its seed round of funding, with investors including gaming giant Square Enix, Shima Capital, and the Solana Foundation. This funding round will bring Elixir Games' total funding to $20 million. The company plans to use this funding to develop its gaming ecosystem, with plans to launch in the second quarter of 2024 and support the launch of its ELIX token in its gaming products.

  • Bitcoin L2 network BOB completes US$10 million in financing

    BOB, a Bitcoin Layer2 (L2) network that integrates with Ethereum, has completed a $10 million financing round. Castle Island Ventures led the investment, with participation from Mechanism Ventures, Bankless Ventures, CMS Ventures, UTXO Management, and angel investors Dan Held and Domo, the creator of the BRC-20 token standard. BOB aims to launch the first Bitcoin Layer2 that is compatible with the Ethereum Virtual Machine (EVM).