On March 13th, 2018, cryptocurrency Verge had its Twitter account hacked after the lead developer was compromised. Verge is known for being privacy focused, and the attacker posted fake promotions from the official account to “donate” Verge’s currency, XVG, to the attacker’s wallet. It appears the attacker was able to gain access to the developer account owner’s password and subsequently exploit the network’s customer support service to bypass 2-factor authentication (2FA). After the attack, the developer was doxxed and XVG dropped by over 5%. This comes on the heels of Twitter’s announcement to tackle crypto scams, only a few days earlier. Cryptocurrency scams on social media are nothing new, and this account takeover is the latest in a string of social media-based cryptocurrency attacks.
Users are notorious for setting identical or highly-similar passwords across different digital channels, and attackers use them to pivot to other social, email, retail or banking accounts, compounding the initial damage. This type of attack is referred to as credential stuffing, and these incidents tend to spike in frequency following large-scale breaches like the one affecting Yahoo. Many high-profile social and digital accounts have been compromised through credential stuffing in the past few months, including HBO, Game of Thrones, and the cryptocurrency investment platform Enigma.
Accounts associated with cryptocurrencies are prime targets for takeovers because they are followed by hundreds of thousands of wallet holders. When an account like Verge is taken over, attackers can use it to spread scams to eager followers and funnel irreversible cryptocurrency transactions directly into their own wallets. These ill-gotten gains are par for the course on social media, which provides access to a key demographic of digitally-connected people who are most interested in getting into the booming crypto game, but who also lack the specialized expertise necessary to distinguish a legitimate from an illegitimate offer.
Moreover, the reputation fallout for cryptocurrencies is particularly high when it comes to social media account takeovers because it demonstrates a perceived lack of security basics. For a business that is fundamentally founded on security and privacy, cryptocurrencies have much to lose in this department. Verge, as a privacy focused cryptocurrency, is particularly at risk, especially when cryptocurrency valuations are driven largely by speculation.
To help mitigate credential stuffing attacks, ZeroFOX usually recommends enabling 2FA on all of your social and digital accounts. However in this case, the attacker intercepted secondary login codes by performing a phone porting attack, or by tricking a telecom support rep into surrendering the victim’s phone number associated with their Twitter account. Twitter recently added support for app-based 2FA through 3rd party services like Google Authenticator and Duo Mobile, which avoid sending the secondary login code to a taken over phone’s text messages. Otherwise, we suggest people to use long, high entropy, non-overlapping and frequently rotated passwords for each of your social media accounts, and recommend checking to see whether any personal account has ever been compromised in a large-scale data breach using a service like https://haveibeenpwned.com.
To address exactly these issues, for both individuals and business alike, ZeroFOX offers ZeroFOX for Everyone, which protects users from takeovers and scams, notifies users when their credentials are compromised and informs users of security updates and trending attacks. Contact sales or visit our website for more information.