Phishing Activities Trend Report for the 4th quarter of 2017, “Unifying the Global response to Cybercrime” requires special attention to phishing. The Anti-Phishing Working Group affirms that “phishing is a criminal mechanism that employs both social engineering and technical subterfuge to steal consumers’ identity data and financial account credentials.” The data proves that phishing is more than an important issue which requires decent anti phishing protection measures.
Mass Email Phishing: email is the most common source of phishing.
Clone phishing happens when an attacker mimics a popular website that usually requires login credentials.
Spear phishing: spear phishing aims at a specific group instead of sending thousands of emails haphazardly.
Whaling, or CEO phishing: this attack targets high-level executives and aims to access their email accounts.
Social media phishing: unlike email phishing, this type of attacks is executed via social networks such as Facebook, Twitter, or Instagram. Sending phishing messages on behalf of authorised accounts is another widespread type of social media phishing.
Malware-based phishing: fraud involving malicious software. Malware can be introduced via an email attachment, USB-sticks, or a downloadable file from a website.
DNS-based phishing (“pharming”): pharming is an attack that strives to redirect website traffic to a phishing website.
Man-in-the-middle phishing: by getting access to unencrypted information between a sender and a receiver, scammers steal users’ data.
Anti-phishing protection is a set of essential preventative steps and practices against cyber scammers. Usually, it involves anti-phishing software, anti-phishing services, and social engineering training of staff members to distinguish counterfeit websites and/or fishy emails.
Let’s review the main assets that phishers typically target.
How to avoid website cloning:
Make your code safe — to safeguard your website, you need to encrypt code. A group of highly skilled developers can easily manage encryption and guard you against design & code theft.
Disable copy-paste — developers can protect the text of your website from copy-paste by tweaking the script of your web pages.
Place copyright information on the website — the text of your website should be protected by copyright, and its exploitation without your permission should be illegal.
Get professional support—there are several tech firms that offer anti-phishing solution and various anti-phishing service.
Code Updates: keeping software up-to-date is vital for the security of your website. The code runs the operating system of your server and other software that your website uses.
Avoid uploading unknown documents & files: any uploaded files may contain malicious scripts that damage the security of your website.
Apply HTTPS: this certificate supports the encrypted connection between the web server and the visitor’s computer.
For brand holders, the risk associated with phishing schemes and malware go beyond those concerning the customer and business data — they also damage brand equity and client trust. Online brand defense (including social media brand protection) allows business owners to preserve the reputation and client trust if someone attempts to use their brand for profit.
Every company should develop a brand protection strategy– anti-phishing ways and means to protect the safety of one’s brand in cyberspace. Furthermore, companies should closely monitor the strategy application and routinely update instructions concerning the security of users, their private information, the implementation of online fraudulence security, and the protection and preventative maintenance of vital systems.
Education and training
To effectively counter phishing, companies should educate employees to recognize it (e.g. checking domain names in email links, looking for compliant URLs, utilizing verified software, and following other anti-phishing techniques). The Wombat Security report shows that 95% of interviewees have education programs and anti-phishing training for end users. The majority of companies opt for monthly and quarterly training cycles. The figure below shows the most common anti-phishing training formats:
Update your software
Keep your software up-to-date: web browsers, microcode, apps, antivirus software, OS, etc. Developers offer patches and revisions as soon as they identify dangers.
Protect your domain name
A domain name is one of the most important resources for a company. Therefore, you should keep it as safe as possible. Here are some of the useful methods:
Use ‘spam traps’ to filter out emails that lead clients to phishing websites;
Monitor the registration of brand-specific domain names which may be used to host fake websites;
Deactivate phishing websites by notifying domain registrars or hosting suppliers.
Sender Policy Framework (SPF) is an email authentication tool created to discover and to stop spoofed or malevolent emails. SPF can be enforced in two areas: Checking and Publishing.
SPF Checking helps you to determine whether the emails received by your company come from a valid source.
SPF Publishing allows you to choose email servers that are accredited to communicate with your firm via email.
Purchase Anti-Phishing tools
Investing in brand protection solutions is never a bad idea. These are some instruments you can apply:
A gateway email filter protects you from phishing and decreases the number of phishing emails.
Email authentication standard ensures the proper phishing protection of your IT infrastructure. These practices include SPF and the Domain Keys Identified Mail (DKIM) protocol, which authorizes users to only receive cryptographically autographed emails. The Domain-based Message Authentication, Reportage, and Conformance (DMARC) protocol determines whether both SPF and DKIM standards are applied.
Further, web safety gateways prevent users from opening potentially dangerous links. They function by checking whether requested URLs are listed on an up-to-date database of websites suspected of administering malware or forgery.
A functional firewall must be installed on all PCs and Servers related to the firm. A firewall keeps the staff members safe from unknowingly opening virus-bearing attachments or other malware.
Phishing is a type of scam which involves defrauding people aiming to steal personal data: customer ID, IPIN, Credit/Debit Card number, Debit/Credit Card expiry date, and CVV number, etc. Phishers are well-organized and apply different techniques to mislead companies and their clients. As phishing attacks happen more frequently, anti-phishing protection is a necessity — it guarantees the security of a company’s name and gives its employees certain skills to counter offenders.
As an example of Distributed Ledger Technology (DLT), blockchain is one of the most secure systems. However, they are similar to conventional IT systems when it comes to vulnerabilities and processes: access and change management, key management, cryptography, blockchain-specific vulnerabilities related to DLT, consensus hijacking, and smart contract vulnerabilities.
Blockchain security assessment is an important procedure because it allows to discover dangerous security vulnerabilities and ensure the continuous protection of the chain. More precisely, we refer to the following layers for security assessments. These categories need to be assessed separately because they have distinct security requirements.
Smart contract audit
Blockchain platform vulnerability analysis
dApps and Apps Vulnerability Analysis
Smart contracts are immutable, it means that as soon as a smart contract is released, it cannot be altered. If a smart contract has vulnerabilities, it endangers user transactions. Therefore, a smart contract audit procedure is performed prior to the product release.
It is a process when an auditor investigates contract’s source code to reveal bugs and vulnerabilities before the code is deployed in the main net.
A smart contract audit doesn’t give any guarantees that the code is 100% secure; however, the audit helps to reduce the risks of being hacked.
1. Preparation - defining scope, estimating project deadlines, retrieving necessary information from the client (for example, technical specification)
2. Functionality overview - analyzing smart contract functionality (expected and programmed); documenting this overview to AS-IS section of a future report
3. Automated tools analysis - compiling smart contract, testing with automated security audit tools and linters, reviewing the applicability of found issues, documenting confirmed issues to the report
4. Manual analysis - performing manual tests against known attacks, testing code against the specification, documenting results
5. Finalization - preparing a final report for the client
6. (optional) Secondary audit - steps 1-5 repeated for fixes made by the client after the initial audit
Although it is more expensive to outsource smart contract audit than to rely on the workforce within a company, companies that specialize in cybersecurity have a higher expertise and better facilities, which allows them to identify vulnerabilities more efficiently. Only an independent reputable and competent company should perform the audit. It’s highly inadvisable to spare money on the audit as in such a way you risk to be hacked.
The security of a blockchain platform is a continuous process. Harshly speaking, its provision consists of three constituent parts: a network, endpoints, and cryptography.
There are 4 types of network attacks, and, although there is no way to completely eliminate them, there are several things you can do to counter them.
A Sybil attack. It is an attack where a single man/side/malicious actor controls multiple nodes on a network. ‘Honest’ nodes may accept shared information from this node (thinking that the data arrives from many trustful sources). Proof-of-Work (PoW) has been created to protect against Sybil attacks during mining.
Eclipse attack. In contrast to Sybil attacks, an Eclipse attack is focused on a single node rather an entire network.
Routing attack. The attack supposes intercepting messages and tampering with them before pushing them through the network. First of all, you can diversify network connections to avoid giving away the location of points that allows to hijack and split the network into two or more disjoint groups. Secondly, you can monitor the network parameters such as Round-Trip Time (RTT) and recognize irregular patterns.
Consensus Algorithm. Analyzes and tests the algorithm used by blockchain nodes: determines whether a given blockchain runs updated data.
Synchronization. Ensure that an application runs an updated ledger version. If an application is outdated, it may execute erroneous functions.
A node is simply a computer that participates in the blockchain network. This participation can be different for each blockchain platform. The endpoint has its own characteristics and we have defined most common attacks on them:
DoS attacks. You can decrease the size of the blocks containing transactions to make transaction fees higher. This way, DoS attacks will be more expensive since attackers will have to pay for every transaction they send out to the network.
Vulnerability Assessment, Build and Deploy Analysis. Evaluates the security of blockchain platforms to find potential vulnerabilities.
*Analysis and testing of blockchain-specific requirements. For example, a particular blockchain net can be fully redundant and each endpoint should add to this redundancy. The net should never rely on a single point, and instead, use all available points.
Cryptography is a way of encrypting and decrypting information with the help of difficult mathematics. Impersonation, replay attack, reflection attack, forced delay, and interleaving attack are the 5 well-known cryptography attacks.
Known-key attack: an attacker gains some keys used previously and then uses this info to attack the protocol and possibly determine new keys.
Replay: attacker records a communication session and replays some or all of it at a later time.
Impersonation: attacker assumes the identity of one of the legitimate parties in a network.
Man-in-the-middle: attacker interposes himself between two parties and pretends to each to be the other.
Interleaving attack: an attacker injects spurious messages into a protocol run to disrupt or subvert it.
In addition, Password Strength Analysis will guarantee the security of password procedures. It will help you to avoid attacks on private keys aimed to identify the password. Key Store Analysis will check whether keys are stored in a secure location and protected from brute force. It looks at storage practices for individual wallet keys and considers the media of key storage.
Decentralized applications (dApps) are applications that work in peer-to-peer network. The vulnerability analysis of dApps consists of procedures that ensure that further type of attacks will hardly be successful:
attacks on smart contract;
web client side attack such as cross-site scripting (xss).
attacks caused by integration of smart contract of web 3.0 application: server misconfiguration.
Smart contract audit, bug bounty, and secure development procedures are the countermeasures to secure your dApps and Apps.
Blockchain technologies definitely have a much higher security potential than the centralized systems. Given that blockchain is maintained by peer-to-peer networks, it can introduce potential solutions to security issues that exist today. In order to achieve success and gain a positive reputation, businesses should order smart contracts audits. No smart contract should be launched without an audit, no blockchain should be created without prior risk assessment and vulnerability analysis, no dApp should be established without initial penetration testing.
Security in the blockchain industry has gained a lot of attention in the last couple of years. After a series of major crypto hacks, it became evident that blockchain projects around the world find it quite complicated to secure their assets. Many vulnerabilities involve the human factor, so cybersecurity requires a combination of expertise both on the technical and human level within a network. Thus, we have created a list of the most common and known vulnerabilities, in other words, ICO cybersecurity best practices, which are now obligatory to get acquainted with as hacks continue to have dire consequences for projects, their stakeholders, and the world perception of the industry.
During the process of a blockchain based project development, a code error may occur at any stage. What’s important is to define the layer or layers you concentrate on in order to be prepared to meet the challenges and address them properly.
Among the toughest challenges, you’ll be facing are hidden in the protocol layer. The immutable nature of the blockchain technology makes it extremely hard to fix any possible mistakes. Such a task would require software upgrades and soft forks. When it comes to the protocol layer, the earlier you identify an error the better. Performing scrutinized testing is extremely important during the Testnet phase. Among the most widely known pieces of software operating at protocol layer are Parity, Geth, Bitcoin Core, Ethereum JS, Daedalus (Cardano) and others.
Building smart contracts over the protocol layer is where the application layer takes place. This is where numerous potential bugs can occur even if the programmer has enough experience in the field. The layer, as a rule, implies using not very long code but requires solid security due to processing large amounts of money by some applications. A small error can potentially cost a fortune.
The situation can be avoided by hiring highly professional and detail-oriented programmers specializing in the programming language for smart contracts and understanding the Solidity principles. The most famous hacking incidents related to the application layer are The DAO Fork and Parity Multisig wallet.
It’s not necessarily a certain layer, however, blockchain based projects are extremely dependent upon both websites connecting to your blockchain and centralized web applications. This is a significant reason to be well informed about security vulnerabilities which can cause potential attacks. Therefore, engaging security analysts and engineers specializing in blockchain is a necessity. The similar services include Infura and MyEtherWallet.
Main peripheral structures used for browsing the Internet (web browsers, DNS resolutions, extensions, apps, and others) are also utilized by all blockchain projects. Despite the fact that they are not connected to blockchain or application directly, they are exposed to traditional attacks thus can jeopardize your entire project.
It’s common for teams to concentrate on the highest security level of the blockchain project while neglecting the safety of the website or chat apps. There were cases when hackers switched ICO sites to different domains and received significant amounts of money as well as lots of sensitive data by tricking users. Furthermore, some cybercriminals obtained access to ICO websites and switched smart contract addresses to theirs.
It’s not uncommon to leave the security question of blockchain projects for later. This especially concerns the ones that are in the process of launching an ICO. Maybe they wait until the funds come in or intend to pay with token sale proceeds before investing in security. However, such an approach can cause breaches of security and loss of funds. Therefore, utilizing the best security measures is very important.
The success of a company depends significantly on this aspect. The absence of a professional team with the proper set of skills is the only reason for security vulnerabilities’ occurrence. It means that not only engineers are responsible for the code security but also the management allocating large budgets for the advertisements and market campaigns instead of investing in the proper security of the project.
Of course, the blockchain technology is new but it doesn’t mean that you should avoid using the tools that have already been tested and reviewed by the professionals and open communities. This allows reducing the number of potential vulnerabilities.
For example, the most common tools for Ethereum include Truffle and OpenZeppelin.
Disclaimer: It’s noteworthy that despite reusing the code is a great way to reduce potential vulnerabilities, performing your own revision is necessary in order to ensure the final product’s quality and safety.
Making the code public can be both beneficial and potentially dangerous. Although the project is exposed to risk, you can get it reviewed by numerous crypto industry experts which is a great way to ensure the higher security level. This is why it’s wise to invest in the bug bounty program according to the industry standards.
According to statistics, there are between 15-50 bugs per 1000 lines of code (LOC). Of course, such measures as audits, testing, and public revision allow to reduce the numbers, however, they won’t solve all the issues. In order to decrease the number of potential bugs in the LOC, it’s recommended to come up with secure development in advance.
It’s extremely important to convey the importance of security to your vendors, contractors, and employees. Set security standards and educate them on safety measures such as password managers, multi-factor authentication, regular password changes etc. Being on the same page with stakeholders and providing regular training on security measures will reduce the possible risks.