In a recent e-mail broadcast, Mt. Gox—the premier Bitcoin exchange struck by a hack that nearly devastated the entire market in June—the exchange administrators warn of the rising tide of phishing attacks directed at users. As the Bitcoin market gains popularity, and maintains a real value, scammers who want to take advantage of the inattention and naivety of computer users have been coming out of the woodwork. Even trading at nearly $9 per BTC, that means that anyone with a few coins rattling in their wallet could be an enticing victim for trickery.
To date, Mt. Gox is still the largest Bitcoin exchange market representing over 90% of the entire exchange volume for the past month. As a result of this popularity, it will be a primary target for scammers.
The e-mail warning contains little to no details on the exact nature of the surge in phishing attacks except for the usual.
Phishing is a confidence scam that uses deception to pretend to be an official communication from a well-known organization, often by forging e-mail headers and making an e-mail appear to be legitimate. It tricks users into either giving up confidential information or visiting a carefully designed site to enter their username and password for access (which really sends the login information to the bad guys.) Many modern browsers such as Firefox and Internet Explorer, and modern e-mail programs like Outlook attempt to detect phishing attempts by looking at URLs and comparing them to known bad guys to warn users, but really the impetus for safety is in the hands of the customer.
No established organization will ever as a user for their username and password. Always double-check the location-bar URL when clicking URLs from e-mails (in fact, if possible don’t use URLs from official e-mails and just type it in directly.)
Good news for cryptography and security fans,Mt.Goxis planning to get themselves a VeriSign EV Authentication certificate in the near future to increase security—currently they use StartCom Class 2 certificate. This represents another way that users can check to be sure they’re looking at the proper mtgox.com site: check the padlock icon on most browsers before interacting and it will list the security certificate information. This is by no means a perfect proof, but it should help identify most phishing attempts immediately.
Phishing is an extremely common scam because it hijacks the natural human trust of e-mails from businesses that customers already have relationships with. These scams also target recent and well-known events by triggering natural curiosity such as news about disasters like Hurricane Irene or the death of a popular celebrity like Amy Winehouse. We’ve even see powerful organizations such as the Pentagon fall prey to carefully crafted spear-phishing campaigns in attempts to gain access to their computers.
Even the best computer security systems are still only as good as the education and awareness of the people running them.
Stay on your toes if you’re a Mt.Gox user (or Internet user in general) and don’t just cast about willy-nilly with your financial information. Even a few Bitcoin cents rattling around in your e-wallet happen to be worth something.