Posted on Leave a comment

What is Cryptocurrency Security: 5 Steps to Safely Invest in Cryptocurrency

Technology has changed the way people work, communicate, shop and even pay for goods. Companies and consumers don’t always prefer cash anymore, and this behavior is giving way to contactless payments. With the quick wave of a smartphone, consumers can pay for items at digital registers. Now, a new payment system is emerging: cryptocurrency.

Probably everyone heard about Bitcoin by now. It was the first cryptocurrency to go mainstream, but others are growing in popularity. There are more than 2,000 different types of cryptocurrencies, and more are developed every day.

Research suggests most people have heard of cryptocurrency but don’t fully understand what it is. So, what is it, is it secure and how do you invest in it? To help, we’ll answer those questions. Think of this as Cryptocurrency Investing 101.

What Is Cryptocurrency?

Cryptocurrency is a digital payment system that doesn’t rely on banks to verify transactions. It’s a peer-to-peer system that can enable anyone anywhere to send and receive payments. Instead of being physical money that is carried around and exchanged in the real world, cryptocurrency payments exist purely as digital entries to an online database that describe specific transactions. When you transfer cryptocurrency funds, the transactions are recorded in a public ledger. You store your cryptocurrency in a digital wallet.

Cryptocurrency got its name because it uses encryption to verify transactions. This means advanced coding is involved in storing and transmitting cryptocurrency data between wallets and to public ledgers. The aim of the encryption is to provide security and safety.

How Secure Is Cryptocurrency?

Cryptocurrencies are usually built using blockchain technology. Blockchain describes the way transactions are recorded into “blocks” and time stamped. It’s a fairly complex, technical process, but the result is a digital ledger of cryptocurrency transactions that’s hard for hackers to tamper with.

In addition, transactions require a two-factor authentication process. For instance, you might be asked to enter a username and password to start a transaction. Then, you might have to enter an authentication code that’s sent via text to your personal cell phone.

While securities are in place, that doesn’t mean cryptocurrencies are un-hackable. In fact, several high-dollar hacks have cost cryptocurrency startups heavily.

Tips to Invest in Cryptocurrency Safely

Investments are always risky, but some experts say cryptocurrency is one of the riskier investment choices out there, according to Consumer Reports. However, digital currencies are also some of the hottest commodities. If you’re planning to invest in cryptocurrencies, these tips can help you make educated choices.

Research Exchanges

Before you invest one dollar, learn about cryptocurrency exchanges. These platforms provide the means to buy and sell digital currencies, but there are thousands exchanges to choose from. Do your research, read reviews and talk with more experienced investors before moving forward.

Know How to Store Your Digital Currency

If you buy cryptocurrency, you have to store it. You can store it on an exchange or in a digital “offline wallet,” for example they are reputable brand such Ledger or Trezor like we providing on this site . While there are many different kinds of wallets, each has its own benefits, technical requirements and security. As with exchanges, you should investigate your storage choices before investing.

Diversify Your Investments

Diversification is a key to any good investment strategy, and it holds true when you’re investing in cryptocurrency too. Don’t put all of your money in Bitcoin, for example, just because that’s the name you know. There are thousands of options, and it’s best to spread your investment around to several currencies.

Prepare for Volatility

The cryptocurrency market is a volatile one, so be prepared for ups and downs. You’ll see dramatic swings in prices. If your investment portfolio or mental wellbeing can’t handle that, cryptocurrency might not be a wise choice for you.

Cryptocurrency is all the rage right now, but remember, it’s still in its infancy. Investing in something that’s new comes with challenges, so be prepared. If you plan to participate, do your research and invest conservatively to start.

Posted on Leave a comment

Beware phishing scam that targets wallet users

Customers of Ledger, the hardware cryptocurrency wallet, are being targeted by a phishing attack posing as an email from Ledger support. Even we at Bitstore Malaysia also getting this attempt on daily basis.

The fake email ostensibly informs users their Ledger assets may be compromised or Your Hardware Wallet has been disabled as head subject. It states, “We‘re sorry to inform you that due to the new KYC (Know Your Customer) regulations, you‘re required verify your identity:.” This claim is false; while the email form looks professional, it is a phishing attempt to steal customers data. 

Based on analyst from our threat intelligence team, the email contain a link that will phish user to giving their recovery phrase on the cloud document provided or a link to download fake Ledger Live application.

Security best practices

  • Reminder: Anyone with access to your 24-word recovery phrase can take your assets.
  • Never enter your 24-word recovery phrase anywhere else than on your Ledger device.
  • Ledger will never ask you for your 24-word recovery phrase.
  • Only use official contact form at ledger.com/support.

The email is so convincing that even wary users might be fooled. Ledger confirmed that, for the last week, a phishing attack has been targeting Ledger cryptocurrency wallet customers. 

Ledger phishing email

In a statement, a Ledger spokesperson said an internal task force has been deployed to investigate the latest phishing attack. 

“The investigation is ongoing and at this time we cannot give any additional information but one thing is for certain: Ledger will never ask you for your 24-word recovery phrase, which is a blatant sign of a phishing scam,” said the spokesperson. “Ledger encourages customers to exercise caution as phishing attacks become more sophisticated and to alert Ledger’s customer support team and consult Ledger.com for more information on the detection of scams.”

Phishing attacks are common and attackers are increasingly sophisticated, creating emails that resemble official company correspondence. They rely on a person making a mistake and clicking on a link that could compromise his or her security. 

Pro tip: Bookmark verified sites where you normally would input sensitive information and only access them through that bookmarked link.

Posted on 1 Comment

Beware Malicious Google Chrome Extensions That Hijacking Cryptocurrency Wallets

Google has ousted 49 Chrome browser extensions from its Web Store that mimicked as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies.

The long list sum 49 browser add-ons including Ledger wallet, potentially the work of Russian based cybercriminals, were identified (find the list here) by researchers from MyCrypto and PhishFort.

“Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files,” explained Harry Denley, director of security at MyCrypto. “Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.” Additionally all of the extensions have the same functionality but their branding changes based on who they are targeting.

Moreover, an analysis suggests Ledger is the most targeted brand — without speculating, it’s hard to say why.

  • Ledger — 57% of malicious browser extensions in dataset
  • MyEtherWallet — 22% of malicious browser extensions in dataset
  • Trezor — 8% of malicious browser extensions in dataset
  • Electrum — 4% of malicious browser extensions in dataset
  • KeepKey — 4% of malicious browser extensions in dataset
  • Jaxx — 2% of malicious browser extensions in dataset
For instance, MEW CX, the malicious add-on targeting MyEtherWallet, was found capturing the seed phrases and transmitting them to an attacker-controlled server with an intention to drain the victim’s wallet of digital funds.

Some of the extensions, Denley said, came with fake five-star reviews, thus increasing the chances that an unsuspecting user might download it.

Data stealing extensions have been a regular occurrence on the Chrome Web Store, leading Google to purge them as soon as they’re discovered. Back in February, the company removed 500 malicious extensions after they were caught serving adware and sending users’ browsing activity to C2 servers under the control of attackers.

If you suspect you have become a victim of a malicious browser extension and lost funds, it’s recommended you file a report at CryptoScamDB.

For Ledger user please bear in mind that only download Ledger Live application through their official site here.

Posted on Leave a comment

Bitcoin Ransomware Surge in 2019


A decade ago, if a dekstop computer got infected with malware the main symptom probably was an intrusive browser toolbar of some kind. These days if your mobile or desktop computer is infected what gets installed is likely to be “ransomware” — malicious software that locks your most prized documents, songs and pictures with strong encryption and then requires you to pay for a key to unlock the files.

What is ransomware?

Ransomware — malicious software that encrypts the victim’s files and holds them hostage unless and until the victim pays a ransom in Bitcoin — has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services.

The role of bitcoin

Since 2013, when Bitcoin first entered the mainstream, it has been used as a payment option for ransomware. While Bitcoin has proven popular for this purpose, the unique properties of the cryptocurrency cut both ways — creating a double-edged sword for attackers.

Irreversible transactions are useful for cybercriminals as they can avoid chargebacks after they have delivered the decryption key. Or they can simply keep demanding more funds without ever delivering.For the attackers, it’s this quality that makes Bitcoin an attractive ransomware payment method. Bitcoin payments cannot be reversed or stopped, unlike wire transfers, prepaid cards, or SMS payments, which in some cases promise higher levels of anonymity.

Attack on the rise

Yesterday, some residents of Johannesburg, the largest city in South Africa, were left without electricity after the city’s power company got attacked by a ransomware virus. City Power, the company responsible for powering South Africa’s financial capital Johannesburg, confirmed Thursday on Twitter that it had been hit by a Ransomware virus that had encrypted all of its databases, applications, and network. The attack prevented prepaid customers from buying electricity units, upload invoices when making payments, or access the City Power’s official website, eventually leaving them without power.

According to SonicWall cyber threat report current trend sees global common malware volume slow down comparing to 2018 and its gets replacing by ransomware attacks which now at the all time high volume hit. In 2018, SonicWall logged more than 2.8 million ransomware malware attacks, which was already a 27% jump over the previous year. So far in 2019, that threat is only accelerating. Through the first six months of 2019, SonicWall has registered 2.4 million ransomware attacks, almost eclipsing the 2018 full-year total in half the time. This marks a 76% year-to-date increase.

How to protect yourself?

Regularly backup your data, and make sure the backups are not connected to the computers and networks they are backing up.Most ransomware variants can encrypt files on any attached drives or network files that are also accessible to the host machine (including cloud hosting and cloud-based backups if those passwords are stored on the machine).

Many companies are now selling products that claim to block ransomware attacks. Those claims are beyond the scope of this article, but don’t be lulled into thinking these products will always protect you.

Even products that could somehow block all ransomware attacks can’t prevent the biggest reason that ransomware attacks succeed: They trick victims into taking an action that inadvertently undermines the security of their device — be it a smart phone, tablet or desktop computer.

This usually involves clicking a link or downloading and opening a file that arrives in an email or instant message. In either case, it is an action that opens the door to the attacker to download and install malware.

With global ransomware projected to generate global revenues of at least a billion dollars this year, ransomware authors are going to keep targeting businesses for the foreseeable future. It is therefore imperative for businesses and endusers to implement available safeguards, create regular data backups and educate employees on how best to avoid triggering a ransomware infection.

Posted on Leave a comment

What is 2FA?

Two-factor authentication is used globally, in many different industries, and by many different brands. You don’t always realize it, but every time you complete simple actions like entering your PIN number when using your debit card, you’re using 2FA. Every time you’re asked for ID at a bank, you’re using another form of 2FA.

According to Verizon, 80% of cyber breaches could be prevented by 2FA, and this could be something as simple as a transaction requiring an SMS confirmation. It’s much less likely that someone will be able to get a hold of your password and your phone!

Recently Google also reported that 100% of automated bots, 99% of phishing attacks and 66% of targeted attacks were blocked by 2FA.

There are three main types of authentication:

  • What you know – a password, a PIN or an answer to a security question.
  • What you have – a phone, credit card or fob.
  • What you are – a biometric such as a fingerprint, retina, face or voice.

They can all be mixed and matched to be used together in whichever way suits your company’s purpose. In this article, we’ll take you through everything you need to know about 2FA so it can become an integral part of everyday life that protects your side or your customers.

Your customers’ security should be one of your highest priorities. If they experience a security breach it could be completely life-changing for them – that’s why it’s so important to protect your client’s accounts.

2FA provides an extra layer of security and makes it harder for attackers to access their accounts. Simply adding a layer of 2FA to logins and transaction processes can alleviate risk.

THE BENEFITS

1. Better security

2FA decreases the chances of an attacker being able to impersonate somebody on their account and gain access to sensitive resources. Even if they have the password, they’ll need something else too!

2. Increased productivity and flexibility

Companies that embrace new technology are likely to experience better productivity and flexibility. Customers are able to sign up for services quicker and more securely than before, and can be given the choice of how they’d like to verify their identity.

In businesses, 2FA is used so employees can securely access corporate applications, data, documents, and back-office systems from virtually any location without putting company data at risk.

3. Lower security management costs

Implementing 2FA can help reduce the lengthy and costly password reset calls, and can act as a secure way for customers to sort these issues out themselves.

Reducing customer interactions with call centers, not only strengthens security but also improves UX. Then, as a massive bonus, operational overheads that are associated with security controls are reduced.

4. Reduced fraud

It’s not easy for a hacker to bypass 2FA, making it an effective security tool against fraud. Potential threats would have to know lots of information to gain access and duplicate information, not just one password.

KEEPS HACKERS AWAY

Turning on two-factor authentication is an easy way to stay protected. It quite literally places the security of customer accounts in their own hands.

Even the simplest form of 2FA puts a practically impenetrable wall between hackers and your customers’ personal information.

Yubikey 2fa device can be use to protect all range of applications

Taking these steps to protect your customers’ accounts will offer them the highest level of security and the best UX, creating happy and secure customers all around.

#yubikey

Posted on Leave a comment

$40 Million Binance BTC Hack Highlights Risk of Exchange Wallets

binance

Binance one of the world’s largest crypto exchanges suffered a large scale security breach late today, according to a statement from their official blog. Hackers managed to obtain API keys, two-factor-authentication codes and other information. In addition, 7,000 Bitcoin ($40 million) were withdrawn in a single transaction.

The hackers obtained 2FA codes, API keys, and potentially other info. Binance wrote in a statement that they were aware the hackers involved “used a variety of techniques, including phishing, viruses and other attacks,” though the company was “still concluding all possible methods used” and there may be “additional affected accounts that have not been identified yet.”

We urge users to change their password, revoke the API keys including 2FA keys to avoid future attack on the account.

According to the post, the hackers used phishing, viruses, and various other forms of attacks that the company is still exploring. Thus far, the movements have been limited to one wallet. That’s to say, the thieves pulled off the 7000 BTC hack in just one transaction.

The exchange insists that the hack only affected its hot wallet account. This holds around two percent of all of Binance’s bitcoin. They go on to say that:

The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks…. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.

Changpeng Zhao (CZ)
Binance CEO

The company will now conduct a full security audit in order to find out what went wrong as quickly as possible. While Binance users will be able to continue trading, in order to adjust their positions if needed, all deposits and withdrawals will be suspended during this time. Sorry, folks, you ain’t getting any money in or out of Binance for at least a week.

Fortunately, as one of the world’s most profitable and largest cryptocurrency exchanges, users whose funds were involved in the hack need not worry. All the costs will be covered by Binance’s Secure Asset Fund for Users (SAFU Fund). 

How is it possible that the best-known cryptocurrency exchange globally with some of the top talent in the world could be hacked? This latest breach serves to highlight that no exchange is exempt from hacking. Users need to wake up and take the time to store their private keys correctly in cold wallets. Maybe now that powerhouse Binance has become the latest target of a 7000 BTC hack, users will finally wake up. Get a cold storage wallet for your private keys!

Posted on Leave a comment

Nasty Electrum Botnet Steals Bitcoin Over $4.6 Million

An ongoing attack campaign  against Electrum bitcoin wallets infrastructure seems no sign to stop while the actor behind it keeps sharping their tactics while it’s now amasses almost 150,000 infected users, raising the amount of stolen users’ funds to USD 4.6 million.

Since at least late December 2018, many users of the popular Electrum Bitcoin wallet have fallen victim to a series of phishing attacks, by the team of cybercriminals that exploiting a vulnerability in Electrum wallets tricking unsuspecting users into downloading backdoor versions of the software.

Electrum fake notification injects into legitimate wallet app

In brief, the attackers added some malicious servers to the Electrum peer network which were designed to purposely display an error to legitimate Electrum wallet apps, urging them to download a malicious wallet software update from an unofficial GitHub repository.

The result of the attack eventually netted attackers well over 771 Bitcoins – an amount equivalent to approximately $4 million USD at current exchange rates. To protect Electrum users, the developers behind Electrum decided to exploit the same flaw in their own software in order to redirect users to download the latest patched version.


Electrum servers are currently under a DoS attack. We are working on a more robust version of the electrum server. In the meantime, affected users should disable auto-connect, and select their server manually.

Electrum Developers Tweets

Shortly after, a botnet launched distributed denial of service (DDoS) attacks against legitimate Electrum servers for what is believed to be retaliation against developers for trying to fix the bug. Attackers reversed the scenario so that legitimate nodes became so overwhelmed that older clients had to connect to malicious nodes.

According to Malwarebytes Lab’s the number of infected machines that downloaded the malicious client software and are unwillingly participating in the DDoS attacks has reached 152,000, which was less than 100,000 last week.


We have been able to correlate two distribution campaigns (RIG exploit kit and Smoke Loader) that are fueling this botnet by dropping malware we detect as ElectrumDoSMiner. Now, we have just identified a previously undocumented loader we call Trojan.BeamWinHTTP that is also involved in downloading ElectrumDoSMiner (transactionservices.exe).

Malwarebytes Research Lab’s conclude the attacker dropping more malware to expand their attacks.

According to the researchers, the largest concentration of the Electrum DDoS bots is reportedly located in Asia Pacific region (APAC), Brazil and Peru, with the botnet continually growing.


World map showing presence of bots part of the Electrum DDoS botnet

Since the updated versions of Electrum are no more vulnerable to the phishing attacks, users are advised to update their wallet apps to the latest version (3.3.4) by downloading it from the official electrum.org site.

However for the Electrum wallet user, you can always configure your Ledger or Trezor hardware wallet as a multisig device while you operates Electrum. This will add more security layer while you transacts.


Trezor Multisig w/ Electrum

Posted on Leave a comment

Cryptocurrency users being targeted by APT Hacking Group

It’s being normal for anyone who follow cyber threat intelligence that the infamous APT Hacking Group targets financial entities such banks and financial institution as their main operational core profit income. Alongside goals like cyber espionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe.

What APT stand for?

An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. The intention of an APT attack is usually to monitor network activity and steal data rather than to cause damage to the network or organization.

The trend are shifting starting by last year since this APT actor now are moving into cryptocurrencies user and business, especially targeting the operator of the exchanges. Financial gain remains one of the main goals for APT actor, with its tactics, techniques, and procedures constantly evolving to avoid detection.

According to Kaspersky report, recent campaign to attack cryptocurrency business the APT group said to utilizing a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target macOS. Since then the group has been busy expanding its operations for the platform.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS. The fact that the APT group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms

Infection procedure

.

This is a reminder for Windows and macOS users to be more cautious and not fall victim to this kind of attack campaign. If your business operation involving cryptocurrency or revolve around fintech startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It’s best to check new software with an antivirus and use trusted hadware wallet provider like Ledger Nano S or Trezor. In the meantime, stay safe!

Posted on Leave a comment

How to Protect Yourself from Ledger Addresses Man in the Middle Attack

Recently, bitcoin.com published a blog post – Ledger Addresses Man in the Middle Attack That Threatens Millions of Hardware Wallets. We would like to address some of the claims made in the post which are unfortunately incorrect.

 

TL;DR: This is not a Ledger security flow, Ledger users are not at risk. As a Ledger user, you should verify new receive addresses on device screen when you want to receive fund. As far as we know, no one has ever lost any coins in this Proof of Concept.

 

While there are attack vectors that can modify the address displayed on an infected client computer (where you connect and interact with a hardware wallet), this type of vulnerability has been around since the beginning of Bitcoin. In fact, this same class of vulnerability applies to all Bitcoin and other crypto wallets everywhere, whether software or hardware. It is not unique to Ledger devices.

We would like to start off with some quick facts:

  1. Your funds are safe in a hardware wallet. No immediate action is required. This particular risk only applies once you try to send or receive crypto assets to/from the hardware device.
  2. This is not a “bug” in Ledger or any other hardware wallet. In fact, hardware wallets offer the best level of protection against this specific threat. However, some due diligence is still required by the user.
  3. The attack works by modifying the content on your clipboard or changing the displayed receive address in your Ledger Chrome apps. Other versions could potentially affect Trezor hardware wallet as well.
  4. This vulnerability cannot be easily patched or addressed. It’s better to adopt best practices when handling addresses so that you can ensure you’re not affected.

 

Steps you can take to prevent attacks by address-changing malware or client software hacks:

When receiving funds using the main Ledger Wallet Chrome app:

Make sure you tap on the monitor icon at the bottom of the address display window. Compare the address shown on the Ledger device itself with that shown on your PC screen.

If they are the same then great! If they are not, then you should try a different computer to see if you get the same result. Make sure you install Ledger apps yourself from the official Ledger website: https://www.ledgerwallet.com

 

When receiving Ethereum or most other tokens (ERC-20):

It may be better to use the MyEtherWallet (MEW) website instead of the Ledger Ethereum Chrome app for greater functionality. Within the Ethereum app on your Ledger device you will need to enable browser support.

Once you’ve connected the Ledger on MEW, select the address you want to receive into. Make sure you click the “Display address on Ledger” link to confirm it on your Ledger device screen. If you don’t see the same address, use another computer to connect to MEW. Make sure you are in the correct website: https://www.myetherwallet.com/

 

When receiving other coins using Ledger official app such as Ripple:

Right now these apps do not have the ability to display receive address on your Ledger device screen. Until that, you may simply send a small amount of the asset to the receive address. Ideally, check from another computer to see if the same address and test amount appear as well. Although this method is not perfect, if you can see the same address and balance on both client computers then you should be safe. Again, only install apps from the official Ledger website.

Tips: Make sure your apps on the Ledger Nano S or Ledger Blue are updated to the latest version (by using Ledger Manager).

 

Final Important Tips!

Whether your are sending or receiving fund using ANY wallet, software or hardware, always visually compare the first or last few characters of the address after pasting from your clipboard. Compare the address with your source and make sure they match before proceeding the transaction.

Posted on

How to Claim Bitcoin Gold on Ledger Hardware Wallet

Finally we can claim Bitcoin Gold in our Ledger Nano S and Ledger Blue device by using official BTG split tool. You can find the guide below, however we must remind you that Bitcoin Gold’s block explorer and network is still unstable at the time of this post, please be caution.

 


Step-by-step tutorial to claim your Bitcoin Gold by Ledger

 

To enable Bitcoin Gold, make sure that you have the latest Ledger Wallet Bitcoin Chrome app installed (v1.9.9, it should upgrade automatically). Then you must install the Bitcoin Gold app through the Ledger Manager.

A more comprehensive guide will be available soon, but to send your BTG to an exchange please follow these steps:

  • Make sure you have Ledger Wallet Bitcoin Chrome app v1.9.9
  • Make sure your Nano S firmware is v1.3.1
  • Install the Bitcoin Gold app on your device through the Ledger Manager
  • Launch the Ledger Wallet Bitcoin Chrome app on your computer
  • Launch the Bitcoin Gold app on your Ledger device
  • Click on “BTG split tool” line on the Chrome app
  • If you wish to access your BTG on your legacy chain, select legacy, otherwise select segwit
  • The app will sync (it may take some time, be patient)
  • You have then access to your BTG
  • You can safely send your BTG to the exchange, there is a native replay protection. Your BTC will stay completely safe during these operations

THE BITCOIN GOLD NETWORK IS NOT YET REALLY STABLE. THEREFORE LEDGER DOESN’T PROVIDE ANY SUPPORT FOR BITCOIN GOLD. USE AT YOUR OWN RISK.

 

 

Source: How to use Bitcoin Gold with Ledger – Ledger