Abstract
Social engineering is one of the preferred methods used by criminals to gain unauthorized access to information and information systems. Social engineering targets especially the users of a system. It is increasingly being applied to cryptocurrency users. The paper looks at five cases of cryptocurrency frauds that left a lasting impression in the cryptocurrency community. The cases are systematically investigated using an ontological model for social engineering attacks. The paper analyses which psychological tricks or compliance principles have been used by the social engineers in these cases. With the exploitation of principles such as “Distraction”, “Authority”, and “Commitment, Reciprocation & Consistency” the attackers gained access to users’ financial values, stored in cryptocurrencies, without undermining the security features of the blockchain itself. One reason for the attackers’ success is a lack of knowledge about risks and security among cryptocurrency users. Efforts to increase the information security awareness of cryptocurrency and blockchain users is recommended to protect them.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, New York (2002)
Gragg, D.: A multi-level defense against social engineering. SANS Institute (2003)
Scheeres, J.W.: Establishing the Human Firewall: Reducing an Individual’s Vulnerability to Social Engineering Attacks (2008). http://www.dtic.mil/dtic/tr/fulltext/u2/a487118.pdf
Hadnagy, C., Wilson, P.: Social Engineering: The Art of Human Hacking. Wiley, Hoboken (2011)
Schumacher, S.: Die psychologischen Grundlagen des Social-Engineerings. IWP 65, 215 (2014). https://doi.org/10.1515/iwp-2014-0039
Uebelacker, S., Quiel, S.: The social engineering personality framework. In: 2014 Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 24–30. IEEE (2014)
Happ, C., Melzer, A., Steffgen, G.: Trick with treat–reciprocity increases the willingness to communicate personal data. Comput. Hum. Behav. 61, 372–377 (2016)
Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4
Zhao, Y., Duncan, B.: The impact of crypto-currency risks on the use of blockchain for cloud security and privacy. In: 2018 International Conference on High Performance Computing Simulation (HPCS), pp. 677–684 (2018). https://doi.org/10.1109/HPCS.2018.00111
Mouton, F., Leenen, L., Malan, M.M., Venter, H.S.: Towards an ontological model defining the social engineering domain. In: Kimppa, K., Whitehouse, D., Kuusela, T., Phahlamohlaka, J. (eds.) HCC 2014. IAICT, vol. 431, pp. 266–279. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44208-1_22
Condos, J., Sorrell, W.H., Donegan, S.L.: Blockchain Technology: Opportunities and Risks. Vermont State House (2016)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Bitcoin (2008). https://bitcoin.org/bitcoin.pdf
Rennock, M., Cohn, A., Butcher, J.: Blockchain technology and regulatory investigations. Pract. Law Litigation 2018, 35–44 (2018)
Liu, Y., et al.: An efficient method to enhance Bitcoin wallet security. In: 2017 11th IEEE International Conference on Anti-counterfeiting, Security, and Identification (ASID), pp. 26–29. IEEE, Xiamen (2017). https://doi.org/10.1109/ICASID.2017.8285737
Dai, F., Shi, Y., Meng, N., Wei, L., Ye, Z.: From Bitcoin to cybersecurity: a comparative study of blockchain application and security issues. In: 2017 4th International Conference on Systems and Informatics (ICSAI), pp. 975–979 (2017). https://doi.org/10.1109/ICSAI.2017.8248427
Tosh, D.K., et al.: Security implications of blockchain cloud with analysis of block withholding attack. In: 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), pp. 458–467 (2017). https://doi.org/10.1109/CCGRID.2017.111
Conti, M., Sandeep Kumar, E., Lal, C., Ruj, S.: A Survey on Security and Privacy Issues of Bitcoin. CoRR. abs/1706.00916 (2017)
Moore, T., Christin, N.: Beware the middleman: empirical analysis of Bitcoin-exchange risk. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 25–33. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_3
Krombholz, K., Judmayer, A., Gusenbauer, M., Weippl, E.: The other side of the coin: user experiences with Bitcoin security and privacy. In: Grossklags, J., Preneel, B. (eds.) Financial Cryptography and Data Security, pp. 555–580. Springer, Heidelberg (2017)
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999). https://doi.org/10.1145/322796.322806
Gonzalez, C., Ben-Asher, N., Oltramari, A., Lebiere, C.: Cognition and technology. In: Kott, A., Wang, C., Erbacher, R.F. (eds.) Cyber Defense and Situational Awareness. AIS, vol. 62, pp. 93–117. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11391-3_6
Solms, R., Warren, M.: Towards the human information security firewall. Int. J. Cyber Warfare Terrorism (IJCWT) 1, 10–17 (2011). https://doi.org/10.4018/ijcwt.2011040102
Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31, 83–95 (2012). https://doi.org/10.1016/j.cose.2011.10.007
da Veiga, A.: An information security training and awareness approach (ISTAAP) to instil an information security-positive culture. In: HAISA (2015)
Heartfield, R., Loukas, G.: Detecting semantic social engineering attacks with the weakest link: implementation and empirical evaluation of a human-as-a-security-sensor framework. Comput. Secur. 76, 101–127 (2018)
Ivaturi, K., Janczewski, L.: A taxonomy for social engineering attacks. In: International Conference on Information Resources Management, pp. 1–12. Centre for Information Technology, Organizations, and People (2011)
Tetri, P., Vuorinen, J.: Dissecting social engineering. Behav. Inf. Technol. 32, 1014–1023 (2013)
Tischer, M., et al.: Users really do plug in USB drives they find. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 306–319 (2016). https://doi.org/10.1109/SP.2016.26
Mouton, F., Malan, M.M., Leenen, L., Venter, H.S.: Social engineering attack framework. In: Information Security for South Africa (ISSA 2014), pp. 1–9. IEEE (2014)
Gupta, B.B., Arachchilage, N.A.G., Psannis, K.E.: Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommun. Syst. 67, 247–267 (2018). https://doi.org/10.1007/s11235-017-0334-z
Stavroulakis, P., Stamp, M.: Handbook of Information and Communication Security. Springer, Heidelberg (2010)
van der Merwe, A., Loock, M., Dabrowski, M.: Characteristics and responsibilities involved in a phishing attack. In: Proceedings of the 4th International Symposium on Information and Communication Technologies, pp. 249–254. Trinity College Dublin, Cape Town, South Africa (2005)
Jones, H.S., Towse, J.: Examinations of email fraud susceptibility: perspectives from academic research and industry practice. Psychol. Behav. Examinations Cyber Secur. (2018). https://doi.org/10.4018/978-1-5225-4053-3.ch005
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54, 70 (2011). https://doi.org/10.1145/1897852.1897872
Cialdini, R.B.: Influence: The Psychology of Persuasion. Collins, New York (2007)
Schaab, P., Beckers, K., Pape, S.: Social engineering defence mechanisms and counteracting training strategies. Inf. Comput. Secur. 25, 206–222 (2017)
Rajivan, P., Gonzalez, C.: Creative persuasion: a study on adversarial behaviors and strategies in phishing attacks. Front. Psychol. 9, 135 (2018)
Jeffs, D.: Scam warning – There is no Red Pulse airdrop. https://neonewstoday.com/general/fake-red-pulse-airdrop/
NEO: NEO White Paper. http://docs.neo.org/en-us/. Accessed 23 Nov 2018
Ha, J., Chao, S.: Red Pulse RPX Whitepaper. https://coin.red-pulse.com/wp-content/uploads/redpulse-whitepaper-en.pdf
Bogart, S.: The Trend That Is Increasing The Urgency Of Owning Bitcoin And Ethereum. https://www.forbes.com/sites/spencerbogart/2017/10/08/the-trend-that-is-increasing-the-urgency-of-owning-bitcoin-and-ethereum/#4ce82dbd116b
O’Connor, J., Maynor, D.: COINHOARDER: Tracking a Ukrainian Bitcoin Phishing Ring DNS Style. http://blog.talosintelligence.com/2018/02/coinhoarder.html#more
Mix: Hackers breached BeeToken’s email list and stole \$1 M worth of Ethereum. https://thenextweb.com/hardfork/2018/02/01/beetoken-ico-hacked-airbnb/
thebeetoken.com: The Bee Token - The Future of the Decentralized Sharing Economy. https://s3-us-west-2.amazonaws.com/beenest-public/whitepaper/bee_whitepaper_v3.pdf
Morse, J.: Fake Elon Musk successfully scams Twitter users out of cryptocurrency. https://mashable.com/2018/02/21/elon-musk-twitter-ethereum-scam/#jh7uCR66rSqb
Minereum: Minereum: The First Self Mining Smart Contract. http://files.minereum.com/minereumwhitepaper.pdf
Bruno: A Creative New Scam – Honeypot with a Private Key. https://bitfalls.com/2018/04/13/creative-new-scam-honeypot-private-key/
Etherscan: Wallet of False Victim Attack. https://etherscan.io/address/0x3f3eacb691462d3d067f031f88c9a8bc54fabc79
Jin, S.-A.A., Phua, J.: Following celebrities’ tweets about brands: the impact of twitter-based electronic word-of-mouth on consumers’ source credibility perception, buying intention, and social identification with celebrities. J. Advertising 43, 181–195 (2014). https://doi.org/10.1080/00913367.2013.827606
Kahneman, D.: A perspective on judgment and choice: mapping bounded rationality. Am. Psychol. 58, 697–720 (2003)
HSBC: Trust in Technology (2017)
Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications, pp. 326–330 (2014). https://doi.org/10.1109/DEXA.2014.71
Quiel, S.: Social engineering in the context of Cialdini’s psychology of persuasion and personality traits (2013)
Thomson, M.E., von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6, 167–173 (1998). https://doi.org/10.1108/09685229810227649
Siponen, M.: Five dimensions of information security awareness. SIGCAS Comput. Soc. 31, 24–29 (2001). https://doi.org/10.1145/503345.503348
Scholl, M.C., Fuhrmann, F., Scholl, L.R.: Scientific knowledge of the human side of information security as a basis for sustainable trainings in organizational practices. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 2235–2244 (2018)
Fishbein, M., Ajzen, I.: Belief, attitude, intention, and behavior: an introduction to theory and research. Addison-Wesley, Reading, Mass (1975)
Montaño, D.E., Kasprzyk, D.: Theory of reasoned action, theory of planned behavior, and the integrated behavior model. In: Glanz, K., Rimer, B.K., Viswanath, K. (eds.) Health Behavior and Health Education. pp. 67–96. APA PsycNet (2008)
Jaeger, L., Ament, C., Eckhardt, A.: The closer you get the more aware you become – a case study about psychological distance to information security incidents. In: 2017 38th International Conference on Information Systems, South Korea. Association for Information Systems (2017)
Bada, M., Sasse, A.M., Nurse, J.R.C.: Cyber Security Awareness Campaigns: why do they fail to change behaviour? Global Cyber Security Capacity Centre: Draft Working Paper, pp. 188–131 (2014)
Schroeder, J.: Advanced Persistent Training: Take Your Security Awareness Program to the Next Level. Apress, New York (2017)
Crossler, R., Bélanger, F.: An extended perspective on individual security behaviors: protection motivation theory and a unified security practices (USP) instrument. SIGMIS Database 45, 51–71 (2014). https://doi.org/10.1145/2691517.2691521
Kuo, T.-T., Kim, H.-E., Ohno-Machado, L.: Blockchain distributed ledger technologies for biomedical and health care applications. J. Am. Med. Inform. Assoc. 24, 1211–1220 (2017). https://doi.org/10.1093/jamia/ocx068
Dagher, G.G., Marella, P.B., Milojkovic, M., Mohler, J.: BroncoVote: Secure Voting System using Ethereum’s blockchain. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP, vol. 1, pp. 96–107. SciTePress (2018). https://doi.org/10.5220/0006609700960107
Acknowledgments
Andreas E. Schütz and Tobias Fertig were supported by the BayWISS Consortium Digitization.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Weber, K., Schütz, A.E., Fertig, T., Müller, N.H. (2020). Exploiting the Human Factor: Social Engineering Attacks on Cryptocurrency Users. In: Zaphiris, P., Ioannou, A. (eds) Learning and Collaboration Technologies. Human and Technology Ecosystems. HCII 2020. Lecture Notes in Computer Science(), vol 12206. Springer, Cham. https://doi.org/10.1007/978-3-030-50506-6_45
Download citation
DOI: https://doi.org/10.1007/978-3-030-50506-6_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50505-9
Online ISBN: 978-3-030-50506-6
eBook Packages: Computer ScienceComputer Science (R0)