Hack #1 – Check out this link!
| – Malware can easily be installed on a computer or smartphone by using a link in e-mails, banners or text messages without its victim noticing it. |
– This gives the attacker total control over the rights of the computer or smartphone.
– If your private keys are stored online or on your smartphone, it means your crypto funds are at the whims of what the attacker chooses to do with them.
– Hardware wallets totally mitigate these risks: they protect the seed from software and physical attacks. A malware installed on a smartphone cannot retrieve the seed stored by a hardware wallet.
While physical tampering of a smartphone requires an additional layer of complexity (i.e., physical theft), malware is the more appealing option to a hacker. In many cases, malware is more intimidating than that annoying software that slows down your web browser. The attacker exploits vulnerabilities in the operating system to install a malware.
What is malware?
Malware is a type of software program that is concealed by seemingly innocuous links in emails, banner ads, and text messages. One way for an attacker to install malware is to use social engineering techniques: the victim is tricked into installing a malicious piece of software on her computer (i.e. she clicks on a link and accept to install something). Another way is for the attacker to exploit the vulnerabilities in a software, such as a web browser, used by the victim: this will allow the attacker to install malware without the consent of the victim.
The attacker can wield such vulnerabilities to give them total control over the rights of the smartphone or computer, accessing the library of sensitive data in the process. The malicious actor can also reset accounts (e.g., Google Office Suite) using control of the computer. User crypto funds are, as a result, at the whims of what the attacker chooses to do with them if passwords and private keys are stored in these online accounts.
While it may give some hope that passwords aren’t always stored, the attacker can reset the password of the application/account (only need email access to validate the new password). Then, to transfer all funds to his own address, the attacker will initiate a send. Validation of the transaction will require a 2FA, sent by SMS. If the hacked device concerns a smartphone, he can access the SMS and transfer all cryptocurrencies to his accounts.
Different forms of malware
Numerous forms of these types of malware are continually lurking as successful crimes until their eventual discovery — such as recently with the fake crypto trading software UnionCryptoTrader.dmg caught infecting Mac OS machines.
The daunting part of these attacks, and why they are so difficult to detect, is that they operate silently in the background of the computer or smartphone. Users very rarely know something is wrong until their funds are missing. For example, in the case of the UnionCryptoTrader.dmg vulnerability, the malware was “fileless.” It embedded itself in the memory of a device — never interacting with files or drives. This enables the malware to evade many software applications designed explicitly to detect malware via interaction with drivers or files.
The combination of socially engineering employees of crypto exchanges with embedded malware into email links (called phishing attacks) is also a potential vulnerability of some cryptocurrency exchanges.
Notably, some exchanges have thwarted attempted hacks that deployed such a method earlier this year where hackers attempted to gain access to employee emails and passwords via phishing malware. Still, the high-profile string of successful crypto exchange hacks exposes how not all exchanges have been so deft in their cybersecurity practices.
Just because phishing malware attacks may not be prevalent among exchange hacks doesn’t mean they should be overlooked from a risk perspective. Threats toward crypto exchanges and users will likely become more sophisticated as security measures adapt to multi-pronged approaches.
Hybrid attacks need concurrent responses to multiple security holes, including trust in a third-party. For users, it is never guaranteed that assets stored on an exchange are safe, and so you should take necessary precautions to avoid doing so.
That’s where hardware wallets come to the rescue: Don’t trust, verify.
Hardware wallets mitigate the risks
Hardware wallets alleviate these types of malware attacks by interposing an additional barrier to the release of crypto funds from your wallet. User assets cannot be sent from a Ledger device unless the user physically connects the device to the computer and verifies the transaction on both the computer and the device. If malware is controlling your device, it cannot control your Ledger wallet, even when it is plugged into the computer.
Hardware wallets protect the seed from software and physical attacks. A malware installed on a smartphone cannot retrieve the seed stored by a hardware wallet.
Important to remember: if the addresses on the computer/phone and the hardware device do not match, you may be experiencing a hacking attempt. Your hardware wallet is showing you the true details of the transaction you are about to send. The physical hardware device is significantly more difficult to compromise than your computer that is vulnerable to the caprices of the public Internet.
Combined with 2-FA and multi-signature protocols by exchanges, “cold storage” that uses hardware wallets is the most popular storage method for the vast quantity of exchange and custodial reserves for a reason. It should be a prudent investor’s choice, as well.
Hardware devices are guardians against both physical and digital tampering — other storage options do not provide such security measures.