A Tentative Study in Social Engineering Attacks in Blockchain Ecosystem
Social Engineering Attacks are on the Rise. Here’s a deep dive into the methods and platforms these attacks take place, and what you can do to prevent them.
Introduction
Recently, a number of users in the blockchain ecosystem have discovered that their Telegram accounts have been stolen. In some of these incidents, the victims were informed by their contacts, while others were discovered by the victims themselves.
The modus operandi in all these cases was to hack into individual accounts by stealing information from Telegram accounts and then send false messages to the victims by impersonating their contacts or attacking their contacts with the victim's account.
Using social media platforms or applications to launch attacks are reported from time to time. However, in the past, hackers often used Twitter or Discord rather than Telegram.
This shows that the trend of using social accounts to carry out attacks is growing rapidly and the scope of the attacks is expanding rapidly.
The Fairyproof research team believes that this trend and problem deserves the attention and vigilance of the entire ecosystem. In view of this, the Fairyproof research team has summarized and analyzed these attacks based on the various characteristics of hackers using social accounts, and would like to share our findings with our peers and users in the ecosystem.
Full Article
When it comes to security incidents in the blockchain ecosystem, many users usually think that most of hackers' attacks are on smart contracts, especially on DeFi-type contracts. Because these projects often have a large amount of crypto assets locked up in their smart contracts, by attacking these smart contracts, hackers can directly prey on the crypto assets within them.
However, this approach requires a high level of skill and a significant technical threshold, as the hacker needs to be proficient in smart contracts and find vulnerabilities in them in order to find the point of attack and launch the attack. It is therefore only suitable for a small group of hackers known as "scientists".
However, hackers will not easily "give up" in the face of the huge market value of crypto assets and the lucrative benefits of illegal operations. As a result, in addition to this high threshold attack, an increasing number of unskilled criminals are seeking to use social networking software commonly used by the crypto community to steal account information for fraudulent purposes and to steal the assets of crypto asset holders.
We refer to this type of attack as a broad social account attack (or "phishing attack", "social engineering attack", etc.) [1].
I. What is a social account attack
A social account attack is when a hacker
- Using social networking software (e.g. email, instant messenger, social media platforms, etc.) to commit fraud against a target user by inducing the target user to disclose their sensitive information in order to steal their assets or by tricking the target user into actively transferring the assets they hold.
- Or by implanting a Trojan horse into the target user's device, hacking into his or her social accounts, stealing his or her social information and using the account to defraud the target user's associated social contacts to obtain his or her assets.
According to Fairyproof 2022 Blockchain Ecosecurity Annual Report, which counted 378 typical security incidents, there were 123 cases of attacks using social media, accounting for 32.54% of the total, which is comparable to the number of hacker attacks on smart contracts (143 cases)[2].
This shows that the use of social platforms/tools to carry out attacks has become an issue that every user in the blockchain ecosystem security must pay high attention to.
This paper attempts to explore and summarize the common methods of attack on social media and defensive measures used by hackers in the blockchain ecosystem, exploring five dimensions: common social platforms/tools, users using social platforms/tools, key points where social platforms/tools are used for attacks, dangerous operations that lead to the loss of assets by users, and preventive measures against attacks.
II. Social platforms/tools commonly used in the blockchain ecosystem
In the blockchain ecosystem, people usually choose different social platforms/tools with different characteristics depending on their needs.
A common social platform used for extensive business outreach and first-hand information is Twitter [3].
Discord[4] is a popular social networking tool used to bring communities together, motivate community members and facilitate interaction between project owners and the community.
To protect privacy and facilitate communication and negotiation, Telegram [5] is the main instant messaging software used.
The above three are the most commonly used social platforms/tools in the blockchain ecosystem. Apart from these, other social tools such as WeChat [6], WhatsApp [7], Facebook [8] and Instagram [9] are also used by some projects, but not nearly as frequently as the above three tools. Therefore, the exploration in this paper mainly focuses on the above three social platforms/tools.
III. Users who use social platforms/tools
In the blockchain ecosystem, we have broadly divided users of social platforms/tools into three categories according to the purpose of their use of social platforms/tools.
- Project side: These are users who are project operators or crypto asset issuers in the ecosystem. They usually issue various types of tokens themselves or have them locked in the project contracts they operate. These are usually ERC-20 tokens[10], ERC-721 tokens[11] or ERC-1155 tokens[12], etc.
These users use social platforms/tools mainly for the purpose of posting updates on their operational projects or updates on their issued tokens.
- Crypto asset investors or project users: These are users who may conduct on-chain transactions or interact with (the project's) smart contracts. They usually buy various types of tokens issued by the project, trade tokens or interact with the contracts of the project run by the project.
These users use social platforms/tools mainly to get the latest news on the issuance of various types of tokens, the latest news on contract deployment interactions, the latest news on token trading and to share information about themselves.
- Blockchain Industry Practitioners: This category of users are those who work in the blockchain industry and are involved in the day-to-day aspects of the business such as operations and maintenance, commerce and development.
This category covers a wide range of users who do not necessarily invest in or hold crypto assets, but whose work is directly related to the operation of crypto assets or blockchain projects and have extensive connections with their peers.
These users use social platforms/tools mainly for the purpose of accessing various types of information to facilitate their internal and external communication, work, etc. They have a wide range of contacts in the ecosystem, and they spread and exchange information.
IV. Key points of social platforms/tools being used for attacks
In the blockchain ecosystem, various categories of users use social platforms/tools for different purposes and characteristics, which gives hackers the opportunity to make full use of these characteristics to target their targets and carry out attacks. The followings are the main scenarios.
- Exploiting the trust of crypto asset investors or project users in the project owner, the social platforms/tools used by the project owner are hijacked to launch attacks and place false messages to crypto asset investors or project users.
In this scenario, the main purpose of the social platform/tool used by the project owner is to distribute information, while the investor or project user is the direct consumer of such information. Under this interaction model, investors or project users generally have a psychological default belief that the information posted by the project owner in the social platform/tool is authentic and authoritative, and will follow the addresses, links, etc. given by the information species directly.
This default trust in the authenticity and authority of the information gives hackers an opportunity to take advantage of it. If a hacker steals the project owner's social accounts and posts links to malware, fake transfer addresses or fake token issuance links, investors or project users are likely to click on the links, transfer assets or buy fake tokens without thinking, based on this trust.
Cases of hackers using Twitter and Discord to launch attacks are particularly common in this type of attack, as these two platforms/tools are mostly used by project owners to post information.
Where it is the project owner's social accounts that are exploited, it is the crypto asset investor or project user who may lose crypto assets.
- Exploiting the strong desire of investors or project users to invest in or interact with a project and sending false project information directly to the target user
This type of attack occurs particularly often on the Twitter platform. This is because many opinion leaders or investment gurus in the blockchain ecosystem particularly like to visibly show their desire and quest for new projects and targets in their Twitter feeds.
Hackers take advantage of this desire to tweet publicly or privately about so-called "new projects" and leave links to these projects. These links can be links to malware, fake transfer addresses or fraudulent token-along offers.
If Twitter users see these messages and links and click on them without thinking or following the instructions, they are likely to fall prey to the hackers and lose their assets.
The hackers are using Twitter as a tool and the investors or project users are the ones who may lose their crypto assets.
These two types of attacks are the most common "phishing attacks" that we encounter in the blockchain ecosystem.
- Using the blockchain practitioner's extensive network of contacts to hijack their social platforms/tools and use them to send false information to the practitioner's contacts
The main use of social networking platforms/tools by blockchain practitioners is to interact and exchange information internally and externally. The most common tool used for this purpose is Telegram, which is therefore also used by hackers to attack such users.
In this type of attack, the hacker first steals the account of the targeted user by setting up a trick (e.g. by obtaining a login verification code, stealing a login key, etc.), then logs into the account and copies the correspondence of the social network he or she is messaging with, and then sends a fraudulent message to the targeted user posing as the social network (e.g. asking the targeted user to send encrypted assets to an address provided by the hacker, authorizing the hacker to steal the transactions of the encrypted assets, or to send a message to the target. clicking on a link to malware sent by the hacker, etc.)
Using this method, the hacker can impersonate all of the social connections on a Telegram user's contact list and attack the target user or even all of them.
This type of attack is much more lethal and stealthy, and less likely to be detected, as these connections have already established a stronger trust relationship with the Telegram user.
These types of attacks began to appear frequently in late January this year. It is worthwhile for all Telegram users to be on high alert.
V. Dangerous actions that lead to loss of assets for the user
In any of the typical attacks listed above, the ultimate goal of the hacker is to exploit the user's trust and trick the user into following the links or instructions he is given, regardless of the method used to launch the attack. These actions will eventually lead to the loss of the user's encrypted assets.
The danger is therefore quite high. These dangerous actions usually include the following.
- The targeted user clicks on a link or scans a QR code from an unknown source, etc. This could lead to the user installing a Trojan horse in the environment of their crypto wallet, which could lead to the theft of their wallet key, or to the user being tricked into following up on an impostor project website (e.g. buying an impostor token), which could lead to the loss of crypto assets.
- The targeted user enters their wallet key or key in a dialog box or interface of unknown origin. This leads directly to the hacker taking control of the user's crypto wallet and thus transferring all crypto assets from the wallet.
- The target user clicks to authorize a transaction from an unknown source. This would give the hacker the right to transfer the crypto assets from the user's wallet at will.
VI. Preventive measures against the attack
In view of the characteristics of the typical attacks listed above and the dangerous actions that lead to the loss of crypto assets, Fairyproof recommends the following precautions for all three types of users to avoid having their social accounts exploited by hackers on the one hand and losing their crypto assets on the other.
- Security recommendations for day-to-day operations
For project information, take multiple verifications (i.e. through multiple channels and platforms) to verify its authenticity.
Pay more attention to security information in the ecology and familiarize yourself with the features and precautions of new attacks and cases.
Be cautious of websites with odd URLs and stay highly alert to unfamiliar links and click on them with caution.
- Security advice for Twitter use
Keep your account information secure and do not share it publicly; set up multiple verification processes and verification information for your account; set up privacy and security options; handle private information with care; do not click on any suspicious links on Twitter and do not scan any suspicious QR codes.
- Security advice for using Discord
Same security tips as for Twitter; also set up permissions for message senders, block suspicious users, activate 2-Factor authentication, etc.
- Security advice for using Telegram
As social networking on Telegram is more private and relies more on trust, users should be careful not to share authentication codes and, in particular, to set up their own private information (e.g. don't disclose phone numbers, don't make private information visible, etc.) when using Telegram, in addition to the recommendations of Twitter and Discord. Also be vigilant about the behavior of your social contacts and use voice or other non-text communication to confirm any odd behavior immediately.
- Security advice for using crypto wallets
When we open a crypto wallet, do not under any circumstances enter your password or mnemonic on a suspicious screen.
For each transaction, read the signature message carefully before signing, check the authenticity of the website and other information in the signature message and compare it to the website you intended to access.
Refuse to sign transactions with ambiguous or oddly sourced addresses.
The advice on the secure use of wallets is not the focus of this article and is provided here only as a side note to the advice on the secure use of social platforms/tools and will not be elaborated upon.
The role of social platforms/tools in the blockchain ecosystem is to build trust between people, but the underlying technology and operational processes on which such trust relationships are based are open to various vulnerabilities and exploitation. Therefore, once people have built up trust based on these social platforms/tools, hackers can use them to commit fraud and attack with impunity once they have "stolen" this trust relationship by exploiting the loopholes in technology or operation.
All precautions against these frauds and attacks can be summarized in the following guidelines.
- Reduce psychological dependence on this relationship of trust.
- Use multiple technical means and more rigorous operational processes to challenge this trust relationship, thereby increasing the cost and raising the threshold for hacking, and ultimately protecting the project and protecting the asset.
References:
[1] Salahdine F, Kaabouch N. Social engineering attacks: A survey[J]. Future Internet, 2019, 11(4): 89.
[2] Fairyproof's Review Of 2022 Blockchain Security,
https://fairyproof.com/doc/Fairyproof's_Review_Of_2022_Blockchain_Security.pdf,January, 2023
[3] Twitter, https://twitter.com/home
[4] Discord, https://discord.com/
[5] Telegram, https://telegram.org/
[6] 微信, https://weixin.qq.com/
[7] WhatsApp, https://www.whatsapp.com/
[8] facebook, https://www.facebook.com/
[9] Instagram, https://www.instagram.com/
[10] ERC-20 Token Standard,
https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
[11] ERC-721 Non-fungible Token Standard,
https://ethereum.org/en/developers/docs/standards/tokens/erc-721/
[12] ERC-1155 Multi Token Standard, https://eips.ethereum.org/EIPS/eip-1155