Securing your Web3 Assets!
Web3.0, Blockchain, Ethereum, Cryptocurrency, NFTs, etc. let me use all the buzzwords to get people over to my blog post. Jokes aside I wanted to focus on Web3.0 assets and related products that I mentioned above because these are the new shiny toys of the technology world. Just like any other shiny toy on the market, everyone is trying to get these for themselves and not everyone is following the legal way to obtain them.
Cyber attacks in the Web 3.0 domain have gone rampant and it does not seem that they will be coming to an end any time soon. Previously when the internet age began most of the world was unaware of its implications and the security issues that might arise with it. Luckily after all this time, we have had several learnings from the past and if we generate enough awareness among the people we might not have to encounter as many cyberattacks in the future as we do today. If you are someone who has also invested a ton of money in cryptocurrencies and NFTs or are thinking to do so I think it is extremely important and beneficial for you to give a read ahead.
Top Five Attack Vectors
There have been several different cyberattacks that have been carried out in the past few years trying to dupe people out of their cryptocurrency and NFTs. The good thing is that most of them can be categorized under the few attack vectors mentioned below. So, if you manage to keep yourself aware and be on the lookout for such attacks against you, you can protect yourself from nearly every malicious hacker out there. Let’s dive in and get a basic understanding of these various attack scenarios and how one can protect themselves.
- Social Engineering
In my previous article a week back I mentioned phishing attacks, why are they so prevalent in this day and age, and how to protect ourselves against them. Web3.0 and related technology are extremely new and so it is pretty obvious that people haven’t totally understood its nuances and attackers utilize that to their own benefit.
Cloning crypto wallets is one of the most common attacks right now. As with any normal wallet, crypto wallets consist of the majority of your crypto assets and thus they become an extremely attractive point of attack for attackers. To help customers recover their crypto wallets companies provide them with a set of 12 to 24 words, also known as the “seed phrase”. It acts as a private key and can be utilized to regain access to your wallet in case it is lost or destroyed.
The issue is the attackers try to social engineer their victims to obtain their seed phrase and many of these unsuspecting people completely unaware of the importance of these words provide them to these attackers without a second thought. Once these attackers have your keys to the crypto wallets they can extract everything you have in your wallet within seconds and you won’t be able to take any steps to obtain them back.
2. Fake customer agents
This is a variation of the social engineering attacks that I just mentioned above but it needs to be stated separately because of how common this specific methodology has become. Attackers have been utilizing these methods to extract the seed phrase from the users by acting as if they are calling from the company whose crypto-wallets their victims own. They ask their victims to tell them the seed phrase as only then they will be able to establish that they are the rightful owner of the crypto-wallet and some of their victims do tell their seed phrase and get hacked.
These fake customer agents also utilize the same methodology to obtain the OTPs when hacking people who have multi-factor authentication enabled. They ask the customers for the OTP under the pretext to establish trust with their victims and then utilize the OTP to then hack into their email accounts and initiate resetting passwords of their online crypto accounts and then transferring everything to their accounts.
The cyberattacks that take place in this space are completely out of the world. The word “whales” is used to describe those high-net-worth entities which have huge amounts of assets with them, in this particular case crypto-assets. It is estimated that there are nearly 40,000 whales, which combined own nearly 80% of all NFTs out there. This makes these whales extremely attractive to hackers.
Also as these entities have a huge amount of assets with them, so malicious hackers are comfortable with spending a ton of money to hack these people or organizations. As the rewards outweigh the cost of the attack multi-folds. The attackers spend a lot of time carefully figuring out the “whales”. People create entire fake projects and run the Discord servers and Twitter accounts associated with it for months sometimes to be able to phish these whales.
Whales should be on the lookout for such projects that seems fishy or do not have tons of people backing them or if the code for their smart contract has not been made public. They should make sure to follow the defence-in-depth strategy and utilize several security features to lock down their wallets, with strong passwords and multi-factor authentication being the bare minimum.
4. ENS Domains
ENS, Ethereum Name Service domains have gathered loads of popularity as they provide easy-to-remember names to help find other people’s cryptocurrency wallet addresses. This is extremely useful for people regularly transferring cryptocurrencies to each other as it eases the process. The sad news is anyone can buy an ENS domain of whatever name they prefer it to be and then carry out an attack against their victims by tricking them.
These ENS domain names can be very similar to that of the person they are trying to impersonate and then convince their victim to transfer their crypto assets on this fake wallet instead of the intended person. These addresses can be also up for grabs once the previous person doesn’t resubscribe to the same wallet address and this can also lead to phishing attacks.
5. Malicious Smart Contracts
Attackers sometimes focus on exploiting genuine bugs in legitimate smart contracts but it requires too much effort and knowledge to carry out such an attack. So few attackers prefer to write their own malicious smart contracts and place them on the blockchain. These smart contracts have most of the same functionality as various other smart contracts but have a few loopholes present in the code which makes them behave unexpectedly.
These attack scenarios are extremely rare as it takes a lot of effort to properly set up a smart contract and hide the malicious part of the code. Then advertise the smart contract to other folks to make them join the network. These are extremely long con, but the payout of a successful attack can be millions of dollars.
If you keep yourself aware of such attack scenarios and follow the best security practices you should be secure even against the most targeted and advanced attacks. Stay updated so that you won’t lose out on thousands of dollars of worth NFTs, cryptos, and other extremely valuable assets.
If you think you need more help on this, feel free to reach out to us. Let us help you enhance your security game and keep you secure against malicious hackers on the internet. We are eagerly waiting for your call!
Reach out to us at SECUREU & let’s talk about how we can help you!