Stay Safe: How to Spot Advanced Takeovers
Main Takeaways
Educate yourself for protection. As interest in blockchain grows, so does the risk of cyberattacks. Staying informed about attack methods is crucial for protecting your accounts and recognizing danger.
Scammers employ a variety of techniques, including session/cookie attacks, phishing attempts, and 2FA hijacks to access and take over your account.
Among other measures, you can help keep yourself safe by avoiding public Wi-Fi for financial activities, keeping your 2FA devices secure, and always verifying links and outreach from potential scammers.
Account takeovers are an unfortunate aspect of dealing with cryptocurrencies, so taking precautions is key to staying safe.
As interest in the blockchain ecosystem grows, it's inevitable that bad actors look to capitalize on this trend. One of the best ways to keep yourself protected and your account firmly in your hands is to educate yourself on their methods.
Building on our Stay Safe articles, we're peeling back the curtain on these tactics to provide you with the knowledge you need to protect yourself. From phishing tricks to 2FA takeovers, you'll learn what to look out for and how to better equip yourself to prevent, detect, and respond to potential hijacking threats.
In todayâs blog, weâll cover some of the more sophisticated attacks you might not be familiar with. Youâll also learn exactly how you can avoid them with our safety recommendations.
Account Takeover 1: Session/Cookie Hijacking
Any internet user is likely to know that websites use cookies. But do you know why they exist and how they can be used maliciously? First, letâs get back to the basics.
Getting to grips with cookies
Cookies store important information, allowing a server to remember it's you when you access a web page or application. This could save you time logging in, reauthenticating yourself, or keeping your search preferences. This process of remembering who you are is known as a session.Â
Letâs look at an example. Imagine you decide to do some âgooglingâ one evening. Over the space of an hour, you start checking flights, looking up directions, and then researching movie times at the local cinema. During your session, Google will send you cookies that can identify you the next time you access their services. Such cookies consist of small text files that contain unique data that can personalize your experience.
The next time you go back to Google, you may find that it remembers details of your last search. It could also recognize your account details if you had decided to log in during your last Google session.
Cookies are often stored in a userâs browser or device for as little as 24 hours and up to a few months. We may have apps on our phones that, once logged in, don't need us to enter the password every time we open it if we use it regularly. This access could, however, be revoked if the system is able to detect that this app has not been used for a while. The next time the user wants to use the app, they have to log in and start a new session.Â
Cookies can be abused by hijackers
While cookies can be useful, what would happen if someone managed to get hold of them? If an attacker were to gain access to your session cookies, they may be able to access your logged-in accounts. To get your cookies, the attacker typically needs to access your browser or device, but this can be difficult.Â
Instead, a bad actor will use other methods to hijack your cookies:
Session fixation - An attacker sends the victim a pre-fixed session ID attached to a certain website. When a user clicks on it and logs in, the session becomes identical to the session ID prefixed by the attacker. The attacker can now gain access to the victimâs account as they have the same session ID.
Session sniffing - This attack usually happens on unsecured Wi-Fi networks like youâd find in a mall or airport. An attacker plants a session sniffer that steals session information from all traffic on the public network.
Cross-site scripting - An attacker will send a victim a link, tricking them into thinking it's legitimate. On the page, a malicious script may be hidden behind an image. When a user clicks on that link, the page loads, and the script searches for session IDs, which are returned to the bad actor.
Once armed with your session ID, a hijacker opens the page they want to access with your cookies. A request will be sent to the server along with your session ID, and the server will be tricked into thinking it's you and log the attacker in.
Sarahâs cookie-stealing story
To give a bit of context, letâs look at an example of how an attacker can hijack your cookies.
Sarah, a frequent cryptocurrency trader, had just arrived at a coffee shop to catch up on her open positions on Binance during a weekend getaway. Eager to check her investments, she logs into the account using the cafe's public Wi-Fi.Â
Unbeknownst to her, an attacker has decided to exploit the vulnerability of the coffee shopâs public network. Using the session sniffing method outlined above, the attacker intercepts and steals the session cookies that were generated when Sarah logged into her Binance account. Armed with these stolen cookies, the attacker gained unauthorized access to Sarah's account, putting her investments and sensitive information at risk.
So what was the big issue here? Well, Sarah chose to use an unsecured public Wi-Fi network to access her financial accounts. Public Wi-Fi networks are known to lack robust security measures, making them a hotspot for hackers.Â
How to Recognize a Session/Cookie Hijacking Attempt
How might have Sarah been able to recognize sheâd had her cookies stolen? Luckily for the crypto community, there are a few telltale signs that you might be under attack!
A new device has appeared without you logging in
Many services will let you see exactly what devices/IP youâve logged in with and when you logged in. If an attacker has your active session ID with an authenticated login, you may see theyâve accessed your account from an unrecognized location or device.
Two devices are logged in at the same time using different IP addresses
Itâs not uncommon for people to be logged in to a service on two different devices at the same time. However, these devices typically access the site from the same location and IP address. Two devices across two different locations likely suggest two different people are using the account at the same time.
Hereâs an example below of what it would it could look like on Binance:
You can access the [Account Activity Records] page by hovering over the account icon on the main navigation bar and clicking [Security].
Next, scroll down the page to the [Devices and Activities] section and click [More] next to [Account Activity].
How to Avoid Session/Cookie Hijacking Attacks
Avoid using public Wi-Fi or other unknown networks to access your accounts.
Avoid adding risky, untrustworthy plugins to your browser that might pose a risk of âman-in-the-browserâ attacks. These can allow attackers to install malware into your browser and steal important information stored there.
Use antivirus software to protect your devices.
Avoid logging into your account from unknown or other devices.
Account Takeover 2: Compromised Two-Factor Authentication (2FA)
If youâre serious about your security, you should be using 2FA. 2FA requires two types of authentication to verify your identity when logging in to an account. Typically, youâd use a phone, physical authenticator, or perhaps email as your second authentication device.Â
While 2FA is a highly secure method to use, it isn't immune to cyber attacks. At the end of the day, your 2FA-enabled account is only as secure as you keep your 2FA device.
Why attackers will want to compromise your 2FA
After compromising a 2FA device, an attacker has a few options to choose from:
Freely access any of your serviceâs features and products. For example, they could make a withdrawal request using a 2FA verification code.
Lock out the account's owner. An attacker can delete your previously authorized devices and add their device as 2FA. This will likely give them access to your account for longer and make it more difficult for you to retrieve it.
Regain access to the account. Even if you change your password, the attacker may be able to reset it using your compromised 2FA device.
Markâs 2FA troubles
With all the information laid out, letâs put it together in a use case. Mark is a diligent investor whoâs proud of the layers of security he set up for his online banking account. After reading about 2FA online, Mark added his smartphone as an authenticator for his online banking app.
After downloading a few apps on his phone in preparation for a long trip, Markâs sense of security was soon shattered. At the end of his journey, Mark finds his bank account drained. In a calculated attack, a hacker had gained access to Mark's 2FA device and log-in information by infecting his phone with malware. With control over the device, the attacker bypassed the 2FA process and swiftly transferred funds out of Mark's account.
Mark's security breach was partly the result of his own oversight. He had inadvertently installed a malicious app on his smartphone while downloading software from an unofficial app store.Â
This malicious app managed to exploit vulnerabilities in Mark's device's operating system, gaining access to the phone's functions and data. Because Mark's banking app was linked to his smartphone for 2FA, the hacker had full control over his 2FA device, allowing them to bypass this crucial security layer.
How to Avoid 2FA Attacks
Avoid using the same email address for all your 2FA accounts. If your email address is compromised, then all your accounts will be compromised.Â
Creating an email address only for your Binance account to help limit the risk of exposure to the outside world. For example, we often fill up our email address in surveys or many other places, which can pose a risk of exposing our email accounts.
Secure your email account with another 2FA device as well, like a phone or other authenticator device.
Set stronger passwords. Avoid using words or names, as these are often found in password leaks. Using alphanumeric passwords with special characters and a mixture of capital letters can increase your accountâs security.
Check your accountâs activity and device management history regularly to detect any abnormalities. Early detection can be helpful in preventing losses.
Account Takeover 3: Phishing Attacks
Phishing is a type of social engineering attack where an attacker attempts to trick users into providing important information. This is typically done by manipulating their emotions or impersonating someone of authority.
Phishing manipulation tactics
Attackers always tend to manipulate a userâs emotions of fear or greed. For example, a bad actor could send a spoofing SMS or email to a user claiming unauthorized withdrawals on their account.
The message will say that if they donât log in to confirm their identity, they will lose these funds. However, by using the link in the email or SMS, the user will actually give their details over to the attacker. The same tactic could be used by claiming the victim has a prize to claim, or that thereâs an investment opportunity that needs to be taken advantage of now.
To claim their prize or invest, the victim is encouraged to connect their wallet to a decentralized application (DApp). The DApp will then drain the wallet.
You can see below an example of a phishing SMS sent to a Binance user. The URL provided looks similar to the real Binance URL but is, in fact, a malicious site. Note that Binance will never send you an SMS containing a URL.
Emmaâs phishing experience
Meet Emma, an enthusiastic Binance user who loves to earn passive income on her BTC holdings. Recently, Emma received an email from Binance's customer support team. The email stated that there was a potential issue with her account and that urgent action was needed to resolve it.Â
In the link was an email to the Binance login page. Emma inputs her credentials and 2FA code too. However, unbeknownst to Emma, an attacker has phished her details, and there was never any issue in the first place. Emma soon finds that someone is trying to withdraw funds from her Binance account.
Emma's downfall was primarily due to her lack of suspicion and haste to address the supposed account issue. The phishing email was designed to evoke a sense of urgency and fear as we previously mentioned, causing Emma to act without thoroughly verifying the legitimacy of the email or the website.Â
She also didn't take the time to cross-check the email sender's address, and the sophisticated design of the fake website made it difficult for her to distinguish it from the real Binance website.
How to Avoid Phishing Account Takeovers
Avoid accessing links sent by others. Always go through the legitimate or the normal way of logging in.
Never click on links that are masked behind URL shorteners.
Add anti phishing codes to your Binance account.
Always use Binance Verify or contact customer support to see if any communication youâve received is legitimate.
No URL can be exactly the same. A phishing URL or fake Binance web will have a similar-looking link, but it cannot be the same as Binanceâs. You can spot these by:
â.somethingâ or â-somethingâ being added to the URL.
A country code being added, such as âbinance-deâ, âbinance-ITâ, or âbinance-PRâ for example.
Keywords being added to the URL, like âaccount compromisedâ, âaccount âblocking, or âaccount managementâ.
The URL having a slight misspelling, but still looking close to the original name, like âBinacneâ.
Vigilance Will Help Keep You Safe
Understanding sophisticated attack methods is paramount in safeguarding your digital assets. Whether it's session/cookie hijacking, a phishing attempt, or a compromised 2FA device, recognizing the tactics employed by malicious actors is your first line of defense.
But itâs not the end of your security journey yet. Make sure to keep up to date with new developments and scams by reading the Binance blog. We regularly update you on the latest tactics used by scammers and best security practices too.Â
So, remain vigilant and always have a healthy dose of skepticism at hand too. Your digital assets depend on it!
Further Reading
Stay Safe: All You Need to Know to Prevent Account Takeover Attacks
Stay Safe: Best Practices for Preventing Account Takeover Attacks
Disclaimer: Digital asset prices are subject to high market risk and price volatility. The value of your investment can go down or up, and you may not get back the amount invested. You are solely responsible for your investment decisions, and Binance is not liable for any losses you may incur. Past performance is not a reliable predictor of future performance. You should only invest in products you are familiar with and where you understand the risks. You should carefully consider your investment experience, financial situation, investment objectives, and risk tolerance and consult an independent financial adviser prior to making any investment. This material should not be construed as financial advice. For more information, see our Terms of Use and Risk Warning.