Skip to main content
SpringerLink
Log in

Exploiting the Human Factor: Social Engineering Attacks on Cryptocurrency Users

  • Conference paper
  • First Online:
Learning and Collaboration Technologies. Human and Technology Ecosystems (HCII 2020)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12206))

Included in the following conference series:

Abstract

Social engineering is one of the preferred methods used by criminals to gain unauthorized access to information and information systems. Social engineering targets especially the users of a system. It is increasingly being applied to cryptocurrency users. The paper looks at five cases of cryptocurrency frauds that left a lasting impression in the cryptocurrency community. The cases are systematically investigated using an ontological model for social engineering attacks. The paper analyses which psychological tricks or compliance principles have been used by the social engineers in these cases. With the exploitation of principles such as “Distraction”, “Authority”, and “Commitment, Reciprocation & Consistency” the attackers gained access to users’ financial values, stored in cryptocurrencies, without undermining the security features of the blockchain itself. One reason for the attackers’ success is a lack of knowledge about risks and security among cryptocurrency users. Efforts to increase the information security awareness of cryptocurrency and blockchain users is recommended to protect them.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Alarming evidence for the social phenomenon of bystander inaction can be found in [35, p. 128ff].

  2. 2.

    Cognitive psychology distinguishes two systems for decision making [50]: System 1 uses intuitions and System 2 uses reasoning. Social engineers try to push their victims to rely on System 1.

References

  1. Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, New York (2002)

    Google Scholar 

  2. Gragg, D.: A multi-level defense against social engineering. SANS Institute (2003)

    Google Scholar 

  3. Scheeres, J.W.: Establishing the Human Firewall: Reducing an Individual’s Vulnerability to Social Engineering Attacks (2008). http://www.dtic.mil/dtic/tr/fulltext/u2/a487118.pdf

  4. Hadnagy, C., Wilson, P.: Social Engineering: The Art of Human Hacking. Wiley, Hoboken (2011)

    Google Scholar 

  5. Schumacher, S.: Die psychologischen Grundlagen des Social-Engineerings. IWP 65, 215 (2014). https://doi.org/10.1515/iwp-2014-0039

    Article  Google Scholar 

  6. Uebelacker, S., Quiel, S.: The social engineering personality framework. In: 2014 Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 24–30. IEEE (2014)

    Google Scholar 

  7. Happ, C., Melzer, A., Steffgen, G.: Trick with treat–reciprocity increases the willingness to communicate personal data. Comput. Hum. Behav. 61, 372–377 (2016)

    Article  Google Scholar 

  8. Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4

    Chapter  Google Scholar 

  9. Zhao, Y., Duncan, B.: The impact of crypto-currency risks on the use of blockchain for cloud security and privacy. In: 2018 International Conference on High Performance Computing Simulation (HPCS), pp. 677–684 (2018). https://doi.org/10.1109/HPCS.2018.00111

  10. Mouton, F., Leenen, L., Malan, M.M., Venter, H.S.: Towards an ontological model defining the social engineering domain. In: Kimppa, K., Whitehouse, D., Kuusela, T., Phahlamohlaka, J. (eds.) HCC 2014. IAICT, vol. 431, pp. 266–279. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44208-1_22

    Chapter  Google Scholar 

  11. Condos, J., Sorrell, W.H., Donegan, S.L.: Blockchain Technology: Opportunities and Risks. Vermont State House (2016)

    Google Scholar 

  12. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Bitcoin (2008). https://bitcoin.org/bitcoin.pdf

  13. Rennock, M., Cohn, A., Butcher, J.: Blockchain technology and regulatory investigations. Pract. Law Litigation 2018, 35–44 (2018)

    Google Scholar 

  14. Liu, Y., et al.: An efficient method to enhance Bitcoin wallet security. In: 2017 11th IEEE International Conference on Anti-counterfeiting, Security, and Identification (ASID), pp. 26–29. IEEE, Xiamen (2017). https://doi.org/10.1109/ICASID.2017.8285737

  15. Dai, F., Shi, Y., Meng, N., Wei, L., Ye, Z.: From Bitcoin to cybersecurity: a comparative study of blockchain application and security issues. In: 2017 4th International Conference on Systems and Informatics (ICSAI), pp. 975–979 (2017). https://doi.org/10.1109/ICSAI.2017.8248427

  16. Tosh, D.K., et al.: Security implications of blockchain cloud with analysis of block withholding attack. In: 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), pp. 458–467 (2017). https://doi.org/10.1109/CCGRID.2017.111

  17. Conti, M., Sandeep Kumar, E., Lal, C., Ruj, S.: A Survey on Security and Privacy Issues of Bitcoin. CoRR. abs/1706.00916 (2017)

    Google Scholar 

  18. Moore, T., Christin, N.: Beware the middleman: empirical analysis of Bitcoin-exchange risk. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 25–33. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_3

    Chapter  Google Scholar 

  19. Krombholz, K., Judmayer, A., Gusenbauer, M., Weippl, E.: The other side of the coin: user experiences with Bitcoin security and privacy. In: Grossklags, J., Preneel, B. (eds.) Financial Cryptography and Data Security, pp. 555–580. Springer, Heidelberg (2017)

    Chapter  Google Scholar 

  20. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999). https://doi.org/10.1145/322796.322806

    Article  Google Scholar 

  21. Gonzalez, C., Ben-Asher, N., Oltramari, A., Lebiere, C.: Cognition and technology. In: Kott, A., Wang, C., Erbacher, R.F. (eds.) Cyber Defense and Situational Awareness. AIS, vol. 62, pp. 93–117. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11391-3_6

    Chapter  Google Scholar 

  22. Solms, R., Warren, M.: Towards the human information security firewall. Int. J. Cyber Warfare Terrorism (IJCWT) 1, 10–17 (2011). https://doi.org/10.4018/ijcwt.2011040102

    Article  Google Scholar 

  23. Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31, 83–95 (2012). https://doi.org/10.1016/j.cose.2011.10.007

    Article  Google Scholar 

  24. da Veiga, A.: An information security training and awareness approach (ISTAAP) to instil an information security-positive culture. In: HAISA (2015)

    Google Scholar 

  25. Heartfield, R., Loukas, G.: Detecting semantic social engineering attacks with the weakest link: implementation and empirical evaluation of a human-as-a-security-sensor framework. Comput. Secur. 76, 101–127 (2018)

    Article  Google Scholar 

  26. Ivaturi, K., Janczewski, L.: A taxonomy for social engineering attacks. In: International Conference on Information Resources Management, pp. 1–12. Centre for Information Technology, Organizations, and People (2011)

    Google Scholar 

  27. Tetri, P., Vuorinen, J.: Dissecting social engineering. Behav. Inf. Technol. 32, 1014–1023 (2013)

    Article  Google Scholar 

  28. Tischer, M., et al.: Users really do plug in USB drives they find. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 306–319 (2016). https://doi.org/10.1109/SP.2016.26

  29. Mouton, F., Malan, M.M., Leenen, L., Venter, H.S.: Social engineering attack framework. In: Information Security for South Africa (ISSA 2014), pp. 1–9. IEEE (2014)

    Google Scholar 

  30. Gupta, B.B., Arachchilage, N.A.G., Psannis, K.E.: Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommun. Syst. 67, 247–267 (2018). https://doi.org/10.1007/s11235-017-0334-z

    Article  Google Scholar 

  31. Stavroulakis, P., Stamp, M.: Handbook of Information and Communication Security. Springer, Heidelberg (2010)

    Book  Google Scholar 

  32. van der Merwe, A., Loock, M., Dabrowski, M.: Characteristics and responsibilities involved in a phishing attack. In: Proceedings of the 4th International Symposium on Information and Communication Technologies, pp. 249–254. Trinity College Dublin, Cape Town, South Africa (2005)

    Google Scholar 

  33. Jones, H.S., Towse, J.: Examinations of email fraud susceptibility: perspectives from academic research and industry practice. Psychol. Behav. Examinations Cyber Secur. (2018). https://doi.org/10.4018/978-1-5225-4053-3.ch005

    Article  Google Scholar 

  34. Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54, 70 (2011). https://doi.org/10.1145/1897852.1897872

    Article  Google Scholar 

  35. Cialdini, R.B.: Influence: The Psychology of Persuasion. Collins, New York (2007)

    MATH  Google Scholar 

  36. Schaab, P., Beckers, K., Pape, S.: Social engineering defence mechanisms and counteracting training strategies. Inf. Comput. Secur. 25, 206–222 (2017)

    Article  Google Scholar 

  37. Rajivan, P., Gonzalez, C.: Creative persuasion: a study on adversarial behaviors and strategies in phishing attacks. Front. Psychol. 9, 135 (2018)

    Article  Google Scholar 

  38. Jeffs, D.: Scam warning – There is no Red Pulse airdrop. https://neonewstoday.com/general/fake-red-pulse-airdrop/

  39. NEO: NEO White Paper. http://docs.neo.org/en-us/. Accessed 23 Nov 2018

  40. Ha, J., Chao, S.: Red Pulse RPX Whitepaper. https://coin.red-pulse.com/wp-content/uploads/redpulse-whitepaper-en.pdf

  41. Bogart, S.: The Trend That Is Increasing The Urgency Of Owning Bitcoin And Ethereum. https://www.forbes.com/sites/spencerbogart/2017/10/08/the-trend-that-is-increasing-the-urgency-of-owning-bitcoin-and-ethereum/#4ce82dbd116b

  42. O’Connor, J., Maynor, D.: COINHOARDER: Tracking a Ukrainian Bitcoin Phishing Ring DNS Style. http://blog.talosintelligence.com/2018/02/coinhoarder.html#more

  43. Mix: Hackers breached BeeToken’s email list and stole \$1 M worth of Ethereum. https://thenextweb.com/hardfork/2018/02/01/beetoken-ico-hacked-airbnb/

  44. thebeetoken.com: The Bee Token - The Future of the Decentralized Sharing Economy. https://s3-us-west-2.amazonaws.com/beenest-public/whitepaper/bee_whitepaper_v3.pdf

  45. Morse, J.: Fake Elon Musk successfully scams Twitter users out of cryptocurrency. https://mashable.com/2018/02/21/elon-musk-twitter-ethereum-scam/#jh7uCR66rSqb

  46. Minereum: Minereum: The First Self Mining Smart Contract. http://files.minereum.com/minereumwhitepaper.pdf

  47. Bruno: A Creative New Scam – Honeypot with a Private Key. https://bitfalls.com/2018/04/13/creative-new-scam-honeypot-private-key/

  48. Etherscan: Wallet of False Victim Attack. https://etherscan.io/address/0x3f3eacb691462d3d067f031f88c9a8bc54fabc79

  49. Jin, S.-A.A., Phua, J.: Following celebrities’ tweets about brands: the impact of twitter-based electronic word-of-mouth on consumers’ source credibility perception, buying intention, and social identification with celebrities. J. Advertising 43, 181–195 (2014). https://doi.org/10.1080/00913367.2013.827606

    Article  Google Scholar 

  50. Kahneman, D.: A perspective on judgment and choice: mapping bounded rationality. Am. Psychol. 58, 697–720 (2003)

    Article  Google Scholar 

  51. HSBC: Trust in Technology (2017)

    Google Scholar 

  52. Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications, pp. 326–330 (2014). https://doi.org/10.1109/DEXA.2014.71

  53. Quiel, S.: Social engineering in the context of Cialdini’s psychology of persuasion and personality traits (2013)

    Google Scholar 

  54. Thomson, M.E., von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6, 167–173 (1998). https://doi.org/10.1108/09685229810227649

    Article  Google Scholar 

  55. Siponen, M.: Five dimensions of information security awareness. SIGCAS Comput. Soc. 31, 24–29 (2001). https://doi.org/10.1145/503345.503348

    Article  Google Scholar 

  56. Scholl, M.C., Fuhrmann, F., Scholl, L.R.: Scientific knowledge of the human side of information security as a basis for sustainable trainings in organizational practices. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 2235–2244 (2018)

    Google Scholar 

  57. Fishbein, M., Ajzen, I.: Belief, attitude, intention, and behavior: an introduction to theory and research. Addison-Wesley, Reading, Mass (1975)

    Google Scholar 

  58. Montaño, D.E., Kasprzyk, D.: Theory of reasoned action, theory of planned behavior, and the integrated behavior model. In: Glanz, K., Rimer, B.K., Viswanath, K. (eds.) Health Behavior and Health Education. pp. 67–96. APA PsycNet (2008)

    Google Scholar 

  59. Jaeger, L., Ament, C., Eckhardt, A.: The closer you get the more aware you become – a case study about psychological distance to information security incidents. In: 2017 38th International Conference on Information Systems, South Korea. Association for Information Systems (2017)

    Google Scholar 

  60. Bada, M., Sasse, A.M., Nurse, J.R.C.: Cyber Security Awareness Campaigns: why do they fail to change behaviour? Global Cyber Security Capacity Centre: Draft Working Paper, pp. 188–131 (2014)

    Google Scholar 

  61. Schroeder, J.: Advanced Persistent Training: Take Your Security Awareness Program to the Next Level. Apress, New York (2017)

    Book  Google Scholar 

  62. Crossler, R., Bélanger, F.: An extended perspective on individual security behaviors: protection motivation theory and a unified security practices (USP) instrument. SIGMIS Database 45, 51–71 (2014). https://doi.org/10.1145/2691517.2691521

    Article  Google Scholar 

  63. Kuo, T.-T., Kim, H.-E., Ohno-Machado, L.: Blockchain distributed ledger technologies for biomedical and health care applications. J. Am. Med. Inform. Assoc. 24, 1211–1220 (2017). https://doi.org/10.1093/jamia/ocx068

    Article  Google Scholar 

  64. Dagher, G.G., Marella, P.B., Milojkovic, M., Mohler, J.: BroncoVote: Secure Voting System using Ethereum’s blockchain. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP, vol. 1, pp. 96–107. SciTePress (2018). https://doi.org/10.5220/0006609700960107

Download references

Acknowledgments

Andreas E. Schütz and Tobias Fertig were supported by the BayWISS Consortium Digitization.

Author information

Authors and Affiliations

  1. Faculty of Computer Science and Business Information Systems, University of Applied Sciences Würzburg Schweinfurt, Sanderheinrichsleitenweg 20, 97074, Würzburg, Germany

    Kristin Weber, Andreas E. Schütz, Tobias Fertig & Nicholas H. Müller

Authors
  1. Kristin Weber
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas E. Schütz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tobias Fertig
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nicholas H. Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andreas E. Schütz .

Editor information

Editors and Affiliations

  1. Cyprus University of Technology, Limassol, Cyprus

    Panayiotis Zaphiris

  2. Cyprus University of Technology, Limassol, Cyprus

    Andri Ioannou

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Weber, K., Schütz, A.E., Fertig, T., Müller, N.H. (2020). Exploiting the Human Factor: Social Engineering Attacks on Cryptocurrency Users. In: Zaphiris, P., Ioannou, A. (eds) Learning and Collaboration Technologies. Human and Technology Ecosystems. HCII 2020. Lecture Notes in Computer Science(), vol 12206. Springer, Cham. https://doi.org/10.1007/978-3-030-50506-6_45

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-50506-6_45

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-50505-9

  • Online ISBN: 978-3-030-50506-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation