Hackers try to trick naive investors as soon as a high-profile ICO is announced by sending their precious BTC/ETH to a fake address.
With rising instances of phishing attacks to trick investors, there are different ways ICOs can help in preventing such scams.
The heightened enthusiasm for ICOs has left investors vulnerable to phishing attacks and those who have participated in ICOs are very well aware of how rampant and lethal these attacks are. Initial Coin Offerings (ICO) is a popular decentralized way of fundraising used by startups and companies.
Hackers try to trick naive investors as soon as a high-profile ICO is announced by sending their precious BTC/ETH to a fake address. Since the industry is in its nascent stage, the instances of such scams are implausible to reduce. Further, what makes investors more vulnerable is that various token sales limit the number of people that can invest in the public sales. This results in people finding backdoors into ICOs, which can put them at risk. Therefore, in order to protect investors from phishing attacks, one has to take certain measures while there are different ways ICOs can also help to prevent such malicious tricks.
Paul Walsh, CEO of Metacert, which offers a free Chrome extension to protect ICO investors, states,
“If you expect to have a high-profile campaign, you should expect to be a target.”
A proxy re-encryption project NuCypher, which also lately launched an ICO, has annoyed many investors due to repetitive phishing attempts. However, the company every time after discovering a phishing campaign notified its community what to look for via its email list.
The last attack company detected came over Slack, in messages delivered via slackbots. The attack displayed an ethereum address to send ether funds to, (supposedly) in return for NuCypher tokens. However, investors received a caution from NuCypher that it would never use Slack to request investment.
NuCypher has started an initiative based on communicating and educating investors while also raising awareness among other ICO issuers about such attacks.
Walsh said, “Once investors get their fingers burnt, they are more likely to tell people: don’t do this. Then fewer people are going to invest in Cryptocurrency,” reported CoinDesk.
In order to stay protected in such a wild market, investors need to take various measures to protect themselves, however, the most important responsibility lies on the shoulders of the team running the ICO.
First and foremost, the issuers should put emphasis on only one communication channel for the purpose of sale news. Like in the case of Kik, a messaging app provider, when the company launched Kin it clearly stated that all information about buying its tokens would be available solely on its token sale site.
This kind of approach is helpful because if any vital information, like wallet addresses, is broadcasted via the website, then it would be very difficult for crooks to change the website.
In the case of Telegram ICO, the mobile messaging company, the hackers can benefit from the communication gap and set up fake sites pretending to offer the tokens. The reason behind this is lack of communication with the public about the ICO. However, to look into the matter, the company has created a Telegram channel for reporting scam sites.
“It’s good to get enthusiasm around whatever it is you’re going to launch, but these teams need to be more mindful,” avers Walsh.
Secondly, in order to reduce scams, the ICO teams should look into their marketing strategies. There should not be an urgency of calls to buy tokens. In cases where investors are offered short periods of special discounts, they act quickly to get in. This is where scammers get in action and investors get tricked into following fake links.
Nowadays, social engineering is behind most of the hacks and not cloak-and-dagger coding. The scams are carried out by either deceiving employees to disclose vital information or crooks imitating the real staff members. Thus, to guard the internal team against phishing is of the great importance. The issuers need to bear in mind that hackers may make use of social media channels to tweet out infectious links with access to authentic accounts to appear like a genuine deal to investors.
So as to generate knowledge of techniques used by the fraudsters to trap company staff, PhishMe provides automated, ongoing training to small- and medium-sized businesses. This training essentially works inside staff inboxes, by sending them emails that should raise red flags.
According to CoinDesk, PhishMe co-founder Aaron Higbee said that issuers should “look at who inside the company can tweet from these accounts,” and make sure they’re skilled enough to identify potential phishing attacks.
Further, Metacert presents a product to scrutinize team’s internal channels continuously. This helps in deleting malicious links and messages before anyone can access them.
In the case of Kik, attackers represented themselves as moderators in Slack channels. It is advised to the community management staff that so as to identify phishing attempts, look at what type of questions signify that people might be getting phished on another channel.
Finally, it is necessary for an ICO issuer to make sure that their web host makes security its priority. Since prior to the sale’s site going live, the company first selects its web host, thus, this presents attackers time to try and break into the system and put a fake front page with their own wallet address on the site when it goes live.
Therefore, it is imperative for ICO issuers to put a premium on internal security from the very beginning. Mobile devices, as well as email lists, should be appropriately protected. The documents are advised to be shredded so that they cannot be utilized by the fraudsters to make their attacks look genuine. Moreover, two-factor authentication (2FA) should always be practiced by the employees. SMS-based 2FA should be avoided because they provide little security than using apps like Authy, 1Password or Google Authenticator. Walsh told that there are some projects that keep a burner phone to be exclusively used for 2FA.
Text emails, despite having low marketing competence, are found more secure for recipients because a receiver is able to essentially see the link the email asks them to click. HTML formats, on the other hand, can hide such malicious links. According to Walsh, the best companies try to avoid HTML emails for pure text emails.
It is advisable for the issuers to communicate effectively with the potential investors regarding their security procedures. This will help investors to decide which projects they want to support.
MacLane Wilkinson of NuCypher, says, “Ultimately, there’s no way to prevent phishing attacks, so the most important thing you can do is education. You need to start early by explaining to your community what phishing attacks are and preparing them in advance,” reported CoinDesk.
Finally, to detect vulnerabilities and fix them before a real attack occurs, ICO projects can hire “white hat” hackers to try cracking the security systems employed by the token issuers.
Disclaimer: This is not an investment advice. It is of paramount importance that everyone should do his or her own due diligence before investing in any product, platform, tokens etc. Cryptocentral.io does not endorse any content or product published on this page. Our aim is to simply provide all the readers with the latest information in the field of cryptocurrency / blockchain industry that might be of interest to our readers.