cool hit counter A look back at the "frightening night of cryptocurrency": How did the phishing incident happen and how should users defend themselves?_Intefrankly

A look back at the "frightening night of cryptocurrency": How did the phishing incident happen and how should users defend themselves?

Zhao Changpeng, founder of

On March 7, the well-known digital currency trading platform Coinan was hacked, and the attack caused the global price of digital coins to plummet.

According to the announcement of CoinExchange, 31 accounts were hacked by phishing, and the hackers used machine pending orders and programmed high-frequency trading after getting hold of users' account privileges, causing huge losses to users.

There's been a lot of news about this over the last few days, but the vast majority of it has been from the event itself, the impact on digital currencies, the impact on trading platforms, etc.

The most critical point no one has mentioned: how exactly did the phishing incident happen and how should we, as regular users of Coin, defend ourselves against such attacks?

A year ago, Chinese-American student reported unicode phishing vulnerability

In the announcement released by the Cryptocurrency Exchange, it was stated that the hackers used "unicode phishing" in this attack. I guess 99% of journalists didn't read it.

2017year4 month14 sun, Students studying mathematics at Johns Hopkins Universityxudongzheng Published a paper, The title is《PhishingwithUnicodeDomains》, In Chinese, it means“ usefulnessunicode Web site phishing”。 A method of fishing is given in the article, Multi-language character mixing to fool the user。

Security experts told Hedges that the browser we use is based on English, including the URL in the beginning is also only able to parse English, the so-called unicode encoding.

In order to allow browsers to support multiple languages, punycode was developed, which allows other languages of the world to be "understood" by browsers, such as Chinese, Russian, and Korean.

For example, to access the Apple website, in the earliest days you had to type in the English; later, Chinese companies such as cnnic and 3721 developed their own plug-ins to allow browsers to support domains such as "" and """. Punycode is the equivalent of a language plugin (coding standard) that is built into the mainstream browsers.

However, usingpuycode There is a problem with coded URLs, For example, the Chinese pinyinü, With the English words ofu, It looks very much like( A head with two points, One doesn't.), But this code will be recognized as two letters。

This brings up an attack: someone has combined similar letters from various languages and passed them off as well-known web sites.

This Cryptocurrency phishing attack is where someone has taken the Cyrillic alphabet, combined it with the English alphabet and posed as the Cryptocurrency URL.

The senior white hat M interviewed by Blackchips said that even security professionals who are not familiar with web security are likely to fall for this kind of phishing.

Zhao Changpeng was alerted half a month ago but didn't do anything about it

A phishing attack is essentially when a user enters his or her account password on a "spoof site".

This counterfeit website, to be targeted to the Cryptocurrency user base, the hacker will use some precision placement techniques, such as search engine ad placement, sending phishing emails to Cryptocurrency users, sending URL links peer-to-peer in telegram groups, etc.

These actions cannot work in the short term, and it is possible to detect and deal with similar incidents early if the exchange invests in security monitoring.

Unfortunately, the Cryptocurrency exchange did not do that.

A WeChat screenshot shows that back on February 20, a phishing warning was issued to Zhao, the founder of the Cryptocurrency exchange, who said the issue had been dealt with. Judging by Coin's follow-up measures, he did not take the warning seriously, or at least did not issue a warning to users who were at risk in an effort to try to recoup their losses.

Mr. M, a white hat, said that mainstream browsers are already able to defend against such unicode phishing. On the PC, simply upgrading your browser to the latest version will take care of a large portion of the threat; on your phone, installing antivirus software will take care of a lot of the problem as well. If it's an Apple phone, install Tencent Mobile Phone Manager, and the iOS system will call its SDK to block phishing URLs as well.

Hedges checked the Cryptocurrency website and as of this writing, there are no security alerts on the front page of the site.

How should ordinary users protect themselves against such phishing attacks?

Hedges reminds the average user that the following steps can be taken to reduce the security risks of digital coin transactions.

1, no matter mobile phone or PC, you must install antivirus software, and to install the package. Simply "antivirus", is not able to solve the problem of phishing such as the Blackchips recommended Kaspersky's antivirus suite (paid version), domestic words, you can try Tencent Security Manager or Flint antivirus software (both free software).

2, the browser must be kept up to date in real time, in fact, uniode phishing past already a year, the mainstream browser should be patched, for close characters differential display. However, there are some shell-swapped browsers in China that have less core upgrades than the original browser, and these may have security issues. For example, 360 browser, Sogou browser, Cheetah browser, all may have such problems.

Hedges recommends installing the online installation of chrome browser. The full version of chrome browser, downloaded from domestic websites, has restricted upgrade capabilities that may lead to compromised security.

3, for ordinary white users, we recommend the use of password manager, the software will automatically identify the URL, in the counterfeit URL will not automatically fill in the password. However, it should be noted that once this type of password manager is compromised, all passwords can be stolen. It's up to the user to weigh the risk and convenience.

4. When downloading exchange software on your mobile phone, don't be afraid to take the trouble and make sure to download it from the official website, not from domestic mobile phone software stores, those software may have counterfeit, skinning and other problems.

Multiple large exchanges still have vulnerabilities

On March 10, a security researcher said in Zhihu that in addition to the theft of user accounts, a flaw in the exchange's wind control logic was key to the success of the attack.

Internet user“ lit. the two sons ride in a boat” Speculate in the article, The Cryptocurrency exchange has not taken a realOTP(One-timePassword) logic (loanword)。

Some Cryptocurrency victims have said on foreign websites that they have turned on the highest level of 2FA certification for Cryptocurrency. By 2FA, it means that when you log into your account, in addition to the account name and password need to be correct, the website will also send you a mobile phone verification SMS, which will be successfully verified before you are allowed to log in, this is called secondary verification in the industry.

The logical flaw in Cryptocurrency is that the mobile verification SMS can be used twice during the 30-second validity period: the user first uses it at Cryptocurrency, and then the hacker uses the SMS to log in again, and the verification code is still valid.

In reality, a real OTP only allows one login, even within the validity period, and as soon as someone has used it once, it is promptly invalidated to prevent hackers and users from logging in offsite at the same time.

According to the test of "Futako Ride", famous exchanges including Firecoin and Bigone still have OTP verification vulnerabilities that can be hacked.

Zhu Ye, a senior security expert at Top Elephant, said that if the preventive measures are proper, when a hacker steals a user's password and tries to log in to the Coinan website or app, he or she can carry out multi-dimensional risk model identification such as device fingerprint, commonly logged-in IP and transaction behavior, and can stop it once abnormalities are found.

And, according to the announcement from Coin Security, the hackers used a mechanized high-frequency trading program to control frequent trading on the stolen accounts. Behavior like this is a breeze to defend against with a security model that has extensive experience in traditional financial security, and there are multiple security strategies that can work.

It's a long road to safety. You should work hard.

In Hedges' view, the need for business security is now unabated, no matter what industry.

In blockchain-related terms, for example, the Cryptocurrency Exchange corresponds to the traditional Shanghai and Shenzhen exchanges and is almost a match for them in terms of revenue levels and business scale. But every year the Shanghai and Shenzhen exchanges invest billions in security, how much has Coin invested and can we say enough attention to security?

Yesterday, Cryptocurrency issued an announcement offering a $250,000 reward for the capture of the hacker.

I'd say, is this showmanship fun? Can you put that $250,000 into security defense?

Once again, if you had been willing to lose face and send out an official security bulletin to warn users about phishing attacks when you received the warning on February 20, would there have been the subsequent 3.7 scare?

A sigh of relief.

The road to safety is long, so all practitioners should work hard.

1、Can Amazons public cloud make the most of its time in China
2、Personal project framework building storage model use
3、Sticky bun phenomenon
4、Golang Learning Notes Control Flow
5、git branch management

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送