ICO-projects security rating
There are scammers in the ICO market. This fact is hard to argue. The US Securities and Exchange Commission (SEC) even launched a fictitious ICO to show potential investors how they can be deceived and what things need to be paid attention to. There are many methods. For example, you can hack the site and change the wallet number. Or go phishing in Telegram, where almost every project has its own chats with investors. According to experts, in 2017, hackers could steal $ 300 million in a similar way.
The portfolio company of FRIA Metascan, which specializes in cybersecurity, checked how protected ICO-projects are from hackers, scammers and unfair competitors. A total of 91 projects with Russian-speaking founders were evaluated, but Metascan will continue to explore new projects in real time.
Only 5 projects out of 91 fully meet the safety criteria - this is only 5.5% of the total number of projects. Most of the projects, conducting ICO, give rise to chats in the Telegram messenger, where they communicate with potential investors. Almost half of the projects (48%) have scammers in these chat rooms. Another 41% of projects have vulnerabilities in landings, and this means that there is a threat of hacking the site and changing the address of the wallet to raise funds. DDoS protection is better. Only 11% of projects are vulnerable to such attacks. In addition, the study showed that most of the projects that carry out ICOs do not have their own employees specializing in cybersecurity, and do not use the services of third-party security experts (78% of projects do not have them).
')
Why is bad security of ICO projects a problem? August 2018: Hackers stole data from 261,000 users of the Atlas Quantum cryptocurrency investment platform - names, phone numbers, email addresses, balance sheets. July 2017: CoinDash project was missing $ 7 million after the start of ICO due to the fact that the hackers replaced the number of cryptograph on the site. August 2017: hackers made a fake newsletter on behalf of the founder of the Enigma project and collected about $ 500,000. And this is not all cases.
For investors , it is an opportunity to see how seriously the team approached their project, to assess the risks from investing in one or another ICO. As the Metascan experience shows, there is a direct correlation between the security of the project and its collections. Those projects that have large fees, conduct an audit of their sites, they have security advisors, code auditing, WAF or IPS.
For entrepreneurs , this is an opportunity to see the gaps in the security of their projects. “Project creators can fix vulnerabilities and flaws on their own or use our help. We will promptly update the rating as projects are corrected, ”said David Ordyan, founder of Metascan.
For ecosystem. Such a rating will reduce the number of scam projects, and this, in turn, will positively affect the ICO ecosystem as a whole and the growth and value of cryptocurrencies.
If you are interested in technical details of exactly how the checks were carried out, then the details are described below. And if you are too lazy to delve into the technical nuances, then send a link to your CTO.
Only ICO-projects with Russian-speaking founders got into the current edition of the rating. Finding project sites and their descriptions is not difficult, there are many resources with lists of upcoming or already reaching ICOs. Projects themselves are interested in learning about them. Metascan monitors the lists of ICO constantly, about 150 new projects appear per month.
Each project was tested in four ways:
The presence of a security adviser or your own specialist. Such information projects publish on the site and in their Whitepaper in the section on the team.
Resistance site to DDoS-attacks. An absolute guarantee that the project site is resistant to DDoS attacks can only be given after conducting a stress test. But for ethical reasons, such tests are never conducted without agreement. Vulnerability to DDoS-attack is detected heuristically by the presence of signs of any protective mechanisms. Metascan checked this parameter by the presence of CDN and traffic filtering systems like Cloudflare, Qrator, Imperva. Traffic filtering can be carried out by the hosting provider, and this cannot be determined from the outside, then there may be inaccuracy at this point. If the projects have found such an inaccuracy in the rating, they can write to Metascan.
The presence of vulnerabilities in the web application. One of the Metascan products is a vulnerability scanner. It can be used independently by any site owner at the address metascan.ru. With the help of it and scanned landings projects. True, Metascan notes that this check only reveals vulnerabilities lying on the surface. Pentest or a deeper analysis allows you to detect the full range of vulnerabilities or ensure their absence. But a deeper audit requires coordination with resource administrators.
The presence of fraudsters in the Telegram-chat project. How do fraudsters work? They pretend to be members of the ICO team, write private messages to investors and offer to send money to their wallet to receive tokens at a big discount. It is precisely because they are talking to investors one-on-one, that there is no point in scammers blocking the general ICO chat. Losses from fraudsters are approximately 5 ETH for each day of the crowdsale. At the same time, fraudsters monitor the emergence of new ICOs and create in advance accounts that simulate the accounts of project founders and group administrators.
What does Metascan do with such fraud? The team has developed tools and mechanics that can detect such fraudsters. Metascan collects data about the used wallets, location and equipment of the attacker. After that, their accounts are permanently deleted, and the numbers are banned: Metascan is one of the few, if not the only company that provides services not only for detecting fraudulent accounts, but also for their removal from the Telegram messenger.
The public list already contains 124 fraudulent cryptographs, and the Metascan antifraud system contains more than 1,500 unique Telegram accounts used for ICO fraud.
Most of the intruders "live" in Nigeria, working from mobile devices. 43% of all scammers cheat investors with the iPhone, and 57% of scammers use Android phones, preferring versions 4 and 7 of this OS.
Here is an example of a real case of the struggle with Telegram-fraudsters:
Contact Metascan:
+7 495 152 1337
david.ordyan@metascan.ru
@david_ordyan (Telegram)
Example correspondence with scammers:
The portfolio company of FRIA Metascan, which specializes in cybersecurity, checked how protected ICO-projects are from hackers, scammers and unfair competitors. A total of 91 projects with Russian-speaking founders were evaluated, but Metascan will continue to explore new projects in real time.
Only 5 projects out of 91 fully meet the safety criteria - this is only 5.5% of the total number of projects. Most of the projects, conducting ICO, give rise to chats in the Telegram messenger, where they communicate with potential investors. Almost half of the projects (48%) have scammers in these chat rooms. Another 41% of projects have vulnerabilities in landings, and this means that there is a threat of hacking the site and changing the address of the wallet to raise funds. DDoS protection is better. Only 11% of projects are vulnerable to such attacks. In addition, the study showed that most of the projects that carry out ICOs do not have their own employees specializing in cybersecurity, and do not use the services of third-party security experts (78% of projects do not have them).
')
The entire rating can be viewed on the Metascan website.
Why is bad security of ICO projects a problem? August 2018: Hackers stole data from 261,000 users of the Atlas Quantum cryptocurrency investment platform - names, phone numbers, email addresses, balance sheets. July 2017: CoinDash project was missing $ 7 million after the start of ICO due to the fact that the hackers replaced the number of cryptograph on the site. August 2017: hackers made a fake newsletter on behalf of the founder of the Enigma project and collected about $ 500,000. And this is not all cases.
Why do you need this rating?
For investors , it is an opportunity to see how seriously the team approached their project, to assess the risks from investing in one or another ICO. As the Metascan experience shows, there is a direct correlation between the security of the project and its collections. Those projects that have large fees, conduct an audit of their sites, they have security advisors, code auditing, WAF or IPS.
For entrepreneurs , this is an opportunity to see the gaps in the security of their projects. “Project creators can fix vulnerabilities and flaws on their own or use our help. We will promptly update the rating as projects are corrected, ”said David Ordyan, founder of Metascan.
For ecosystem. Such a rating will reduce the number of scam projects, and this, in turn, will positively affect the ICO ecosystem as a whole and the growth and value of cryptocurrencies.
If you are interested in technical details of exactly how the checks were carried out, then the details are described below. And if you are too lazy to delve into the technical nuances, then send a link to your CTO.
How was the rating made?
Only ICO-projects with Russian-speaking founders got into the current edition of the rating. Finding project sites and their descriptions is not difficult, there are many resources with lists of upcoming or already reaching ICOs. Projects themselves are interested in learning about them. Metascan monitors the lists of ICO constantly, about 150 new projects appear per month.
Each project was tested in four ways:
The presence of a security adviser or your own specialist. Such information projects publish on the site and in their Whitepaper in the section on the team.
Resistance site to DDoS-attacks. An absolute guarantee that the project site is resistant to DDoS attacks can only be given after conducting a stress test. But for ethical reasons, such tests are never conducted without agreement. Vulnerability to DDoS-attack is detected heuristically by the presence of signs of any protective mechanisms. Metascan checked this parameter by the presence of CDN and traffic filtering systems like Cloudflare, Qrator, Imperva. Traffic filtering can be carried out by the hosting provider, and this cannot be determined from the outside, then there may be inaccuracy at this point. If the projects have found such an inaccuracy in the rating, they can write to Metascan.
The presence of vulnerabilities in the web application. One of the Metascan products is a vulnerability scanner. It can be used independently by any site owner at the address metascan.ru. With the help of it and scanned landings projects. True, Metascan notes that this check only reveals vulnerabilities lying on the surface. Pentest or a deeper analysis allows you to detect the full range of vulnerabilities or ensure their absence. But a deeper audit requires coordination with resource administrators.
The presence of fraudsters in the Telegram-chat project. How do fraudsters work? They pretend to be members of the ICO team, write private messages to investors and offer to send money to their wallet to receive tokens at a big discount. It is precisely because they are talking to investors one-on-one, that there is no point in scammers blocking the general ICO chat. Losses from fraudsters are approximately 5 ETH for each day of the crowdsale. At the same time, fraudsters monitor the emergence of new ICOs and create in advance accounts that simulate the accounts of project founders and group administrators.
What does Metascan do with such fraud? The team has developed tools and mechanics that can detect such fraudsters. Metascan collects data about the used wallets, location and equipment of the attacker. After that, their accounts are permanently deleted, and the numbers are banned: Metascan is one of the few, if not the only company that provides services not only for detecting fraudulent accounts, but also for their removal from the Telegram messenger.
The public list already contains 124 fraudulent cryptographs, and the Metascan antifraud system contains more than 1,500 unique Telegram accounts used for ICO fraud.
Most of the intruders "live" in Nigeria, working from mobile devices. 43% of all scammers cheat investors with the iPhone, and 57% of scammers use Android phones, preferring versions 4 and 7 of this OS.
Here is an example of a real case of the struggle with Telegram-fraudsters:
One of the clients during the marketing campaign sharply increased the fraud. If, prior to its launch, we found and deleted one or two per day, then after several dozens of accounts appeared at the same time, pretending to be members of the project team in the Telegram.
For each, we promptly took action, fixing the data and deleting it. It happened that the persistent scammer registered new accounts, but after 3-5 deletions he gave up and left. In addition, there were constantly fake emails from the organizers, fake Google registration forms, and phishing ads. Around the clock, we were engaged in responding and removing fraudulent content.
As a result, during the countering phishing company, 36 scam accounts were deleted. 3 domains are divided. 1 AdWords advertising campaign and 2 Google Forms phishing forms were blocked.
More information about the fight against fraudsters in Telegram can be found in the Metascan report.
Contact Metascan:
+7 495 152 1337
david.ordyan@metascan.ru
@david_ordyan (Telegram)
Example correspondence with scammers:
Source: https://habr.com/ru/post/425355/
All Articles