It is not new that criminals use text messages (SMS) to scam with cryptocurrencies. The latest warning of this type of scam came from none other than Binance CEO Changpeng “CZ” Zhao.
CZ warned about a new scam this Friday (4). The trap, according to him, consists of sending messages with a link that requests the cancellation of withdrawals on the platform. However, the link is fake and redirects the user to a website controlled by the scammers.
Once on this site, criminals manage to steal user account access data on Binance. CZ did not explain what data is stolen, but it is possible that scammers are able to access accounts and steal balances.
“There is a massive Phishing scam via SMS with a link to cancel withdrawals. It leads to a phishing website to harvest your credential as in the screenshot below. NEVER click on links from SMS! Always go to Binance.com via a bookmark or type it in.”, warned CZ.
Authentication risk
Phishing is the name given to any type of telecommunication fraud that uses social engineering tricks to obtain victims’ private data. In the Binance example, criminals use SMS to impersonate the exchange and try to steal customer data.
This is because most customers use SMS to perform two-factor authentication (2FA), which is an additional layer of security. However, if a hacker has access via SMS, he can bypass 2FA or even use it to access the account without the user knowing.
In September 2021, Binance users had already reported an attempt to phishing through SIM swap. With the cloned SIM card, hackers were able to bypass 2FA and make withdrawals from user accounts. The process worked like this:
- the chip (in all cases, belonging to the operator Claro) stopped working;
- there was the cloning of the chip
- hackers access Binance and ask to reset password;
- with the cloned chip, hackers are able to receive the code by e-mail and to the cell phone;
- the hacker logs into your Binance account with the new password and creates an API key;
- waits for the release time and requests the withdrawal, without needing SMS or email confirmation because of the API key.
Binance highlights security measures
In both cases, the responsibility for the attacks did not lie with Binance, as the hackers send the SMS directly to cell phones. Thus, the user needs to be careful and create security measures to avoid this type of scam.
The first one is simple: never click on any link sent by SMS from a suspicious source. The scam starts from the moment the link is opened, so not clicking is the biggest protection against attacks.
“Security is the number one priority at Binance. We’ve invested countless hours and resources to ensure our platform stays secure, including incorporating data analytics and AI technology to help us prevent attacks.”
Second, avoid using SMS or email to activate 2FA as these can be hacked. Instead, prefer apps like Authy or Google Authenticator. Another option is to use a physical 2FA such as KeyID or Ubikey, which are not connected to the internet.