Gemini presents anti-phishing strategies and solutions at BSidesSF conference
Gemini presents anti-phishing strategies and solutions at BSidesSF conference
In a comprehensive presentation at the BSidesSF security conference, Gemini security analyst Rick Ramgattie delved into the methods the company employs to combat phishing scams.
His talk, "Hook, Line & Tinker: A Dive Into Phishing Company Sites," (YouTube) highlighted the advanced tactics used to identify and disrupt malicious actors targeting cryptocurrency holders.
According to the exchange's blog post, phishing scams, particularly Adversary in the Middle (AiTM) attacks, pose significant threats to the security. AiTM attacks involve malicious actors using reverse proxies. This method allows them to bypass multi-factor authentication (MFA) and gain unauthorized access to sensitive information.
Ramgattie described an instance where a phishing site captured user credentials and 2FA codes to access victim accounts. The scammers used automation tools like 2Captcha to quickly solve CAPTCHAs, revealing the limitations of traditional anti-automation defenses.
To counter these threats, Gemini has implemented rigorous security measures. Upon discovering that attackers were changing victims' email addresses to access validation links, Ramgattie devised a solution requiring access to the current email inbox before any changes could be made. This prevented further breaches by ensuring that attackers could not access the verification links sent to the original email addresses.
Additionally, Gemini's security team employs threat hunting techniques to identify phishing sites. By analyzing the back-end requests of phishing portals, Ramgattie discovered that attackers often disclosed their infrastructure when redirecting victims to legitimate sites.
In one case, he identified over 200 phishing sites configured to steal user credentials, which were then harvested and emailed to the attackers. This discovery underscored the importance of diligent server setup and monitoring.
In another example, Gemini users were targeted by an email phishing campaign claiming they would receive crypto assets via airdrop. Users who clicked the "proceed now" button were directed to a fake landing page resembling Gemini's homepage, where they were prompted to connect to a Web3 wallet, ultimately leading to the theft of their assets.
Fortunately, MetaMask's reporting feature allowed for swift blocking of phishing domains, offering a faster solution than traditional reporting to hosting providers.
As phishing techniques evolve, Gemini remains committed to enhancing its security protocols to protect its users. The exchange's proactive approach, combining threat hunting and advanced security measures, serves as a reference for the cryptocurrency industry.
See also: Atari partners with Coinbase to bring Asteroids and Breakout to blockchain
