ICO-projects security rating
There are scammers in the ICO market. With this fact it is difficult to argue. The US Securities and Exchange Commission (SEC) has even launched a fictitious ICO to show potential investors how they can be deceived and what things need to be paid attention to. There are many methods. For example, you can hack the site and change the wallet number. Or go phishing in Telegram, where almost every project has its own chats with investors. According to experts, in 2017, hackers could steal $ 300 million in a similar way.
The portfolio company of FRII Metascan, which specializes in cybersecurity, checked the extent to which ICO-projects are protected from hackers, fraudsters and unscrupulous competitors. A total of 91 projects with Russian-speaking founders were evaluated, but Metascan will continue to explore new projects in real time.
Only 5 projects out of 91 fully meet the safety criteria - this is only 5.5% of the total number of projects. Most of the projects, conducting ICO, give rise to chat rooms in the Telegram messenger, where they communicate with potential investors. Almost half of the projects (48%) have scammers in these chat rooms. Another 41% of projects have vulnerabilities in landings, and this means that there is a threat of hacking the site and changing the address of the wallet to raise funds. DDoS protection is better. Only 11% of projects are vulnerable to such attacks. In addition, the study showed that most of the projects that carry out ICOs do not have their own employees specializing in cybersecurity, and do not use the services of third-party security experts (78% of projects do not have them).
Why is bad security of ICO projects a problem? August 2018: Hackers stole data from 261,000 users of the Atlas Quantum cryptocurrency investment platform - names, phone numbers, email addresses, balance sheets. July 2017: The CoinDash project was missing $ 7 million after the start of ICO due to the fact that hackers changed the number of the cryptograph on the site. August 2017: hackers made a fake newsletter on behalf of the founder of the Enigma project and collected about $ 500,000. And this is not all cases.
For investors it is an opportunity to see how seriously the team approached their project, to assess the risks from investing in this or that ICO. As the Metascan experience shows, there is a direct correlation between the security of the project and its collections. Those projects that have large fees, conduct an audit of their sites, they have security advisors, code auditing, WAF or IPS.
For entrepreneurs , this is an opportunity to see the gaps in the security of their projects. “Project creators can fix vulnerabilities and flaws themselves or resort to our help. We will promptly update the rating as projects are corrected, ”said David Ordyan, founder of Metascan.
For ecosystem.Such a rating will reduce the number of scam projects, and this, in turn, will have a positive effect on the ICO ecosystem as a whole and on the growth and value of cryptocurrencies.
If you are interested in technical details of exactly how the checks were carried out, then the details are described below. And if you are too lazy to delve into the technical nuances, then send a link to your CTO.
Only ICO-projects with Russian-speaking founders got into the current edition of the rating. Finding project sites and their descriptions is not difficult, there are many resources with lists of upcoming or already reaching ICOs. Projects themselves are interested in learning about them. Metascan monitors lists of ICO constantly, about 150 new projects appear per month.
Each project was tested on four parameters:
The presence of a security adviser or his own specialist. Such information projects publish on the site and in their Whitepaper in the section on the team.
Resistance site to DDoS-attacks.An absolute guarantee that the project site is resistant to DDoS attacks can only be given after conducting a stress test. But for ethical reasons, such tests are never conducted without agreement. Vulnerability to DDoS-attack is detected heuristically by the presence of signs of any protective mechanisms. Metascan checked this parameter by the presence of CDN and traffic filtering systems like Cloudflare, Qrator, Imperva. Traffic filtering can be carried out by the hosting provider, and this cannot be determined from the outside, then there may be inaccuracy at this point. If the projects found such an inaccuracy in the rating, they can write to Metascan.
The presence of vulnerabilities in the web application.One of the products of Metascan is a vulnerability scanner. It can be used independently by any site owner at the address metascan.ru. With the help of it and scanned landing projects. True, Metascan notes that this check only reveals vulnerabilities lying on the surface. Pentest or a deeper analysis allows you to detect the full range of vulnerabilities or to ensure their absence. But a deeper audit requires coordination with resource administrators.
The presence of fraudsters in the Telegram-chat project.How do fraudsters work? They pretend to be members of the ICO team, write private messages to investors and offer to send money to their wallet to receive tokens with a big discount. It is because they communicate with investors one-on-one-one, that there is no point in scammers blocking the general ICO chat. Losses from fraudsters are approximately 5 ETH for each day of the crowdsale. At the same time, fraudsters monitor the emergence of new ICOs and create in advance accounts that simulate the accounts of the project founders and group administrators.
What does Metascan do with such fraud?The team has developed tools and mechanics that allow you to identify such fraudsters. Metascan collects data about the used wallets, location and equipment of the attacker. After that, their accounts are permanently deleted, and the numbers are banned: Metascan is one of the few, if not the only company that provides services not only for detecting fraudulent accounts, but also for removing them from the Telegram messenger.
The public list already contains 124 fraudulent cryptographs, and the Metascan antifraud system contains more than 1,500 unique Telegram accounts used for ICO fraud.
Most of the intruders "live" in Nigeria, working from mobile devices. 43% of all scammers cheat investors with the iPhone, and 57% of scammers use Android-based phones, preferring versions 4 and 7 of this OS.
Here is an example of a real case of the struggle with Telegram-fraudsters:
Contact Metascan:
+7 495 152 1337
david.ordyan@metascan.ru
@david_ordyan (Telegram)
Example of correspondence with fraudsters:
The portfolio company of FRII Metascan, which specializes in cybersecurity, checked the extent to which ICO-projects are protected from hackers, fraudsters and unscrupulous competitors. A total of 91 projects with Russian-speaking founders were evaluated, but Metascan will continue to explore new projects in real time.
Only 5 projects out of 91 fully meet the safety criteria - this is only 5.5% of the total number of projects. Most of the projects, conducting ICO, give rise to chat rooms in the Telegram messenger, where they communicate with potential investors. Almost half of the projects (48%) have scammers in these chat rooms. Another 41% of projects have vulnerabilities in landings, and this means that there is a threat of hacking the site and changing the address of the wallet to raise funds. DDoS protection is better. Only 11% of projects are vulnerable to such attacks. In addition, the study showed that most of the projects that carry out ICOs do not have their own employees specializing in cybersecurity, and do not use the services of third-party security experts (78% of projects do not have them).
The entire rating can be viewed on the Metascan website.
Why is bad security of ICO projects a problem? August 2018: Hackers stole data from 261,000 users of the Atlas Quantum cryptocurrency investment platform - names, phone numbers, email addresses, balance sheets. July 2017: The CoinDash project was missing $ 7 million after the start of ICO due to the fact that hackers changed the number of the cryptograph on the site. August 2017: hackers made a fake newsletter on behalf of the founder of the Enigma project and collected about $ 500,000. And this is not all cases.
Why do you need this rating?
For investors it is an opportunity to see how seriously the team approached their project, to assess the risks from investing in this or that ICO. As the Metascan experience shows, there is a direct correlation between the security of the project and its collections. Those projects that have large fees, conduct an audit of their sites, they have security advisors, code auditing, WAF or IPS.
For entrepreneurs , this is an opportunity to see the gaps in the security of their projects. “Project creators can fix vulnerabilities and flaws themselves or resort to our help. We will promptly update the rating as projects are corrected, ”said David Ordyan, founder of Metascan.
For ecosystem.Such a rating will reduce the number of scam projects, and this, in turn, will have a positive effect on the ICO ecosystem as a whole and on the growth and value of cryptocurrencies.
If you are interested in technical details of exactly how the checks were carried out, then the details are described below. And if you are too lazy to delve into the technical nuances, then send a link to your CTO.
How was the rating made?
Only ICO-projects with Russian-speaking founders got into the current edition of the rating. Finding project sites and their descriptions is not difficult, there are many resources with lists of upcoming or already reaching ICOs. Projects themselves are interested in learning about them. Metascan monitors lists of ICO constantly, about 150 new projects appear per month.
Each project was tested on four parameters:
The presence of a security adviser or his own specialist. Such information projects publish on the site and in their Whitepaper in the section on the team.
Resistance site to DDoS-attacks.An absolute guarantee that the project site is resistant to DDoS attacks can only be given after conducting a stress test. But for ethical reasons, such tests are never conducted without agreement. Vulnerability to DDoS-attack is detected heuristically by the presence of signs of any protective mechanisms. Metascan checked this parameter by the presence of CDN and traffic filtering systems like Cloudflare, Qrator, Imperva. Traffic filtering can be carried out by the hosting provider, and this cannot be determined from the outside, then there may be inaccuracy at this point. If the projects found such an inaccuracy in the rating, they can write to Metascan.
The presence of vulnerabilities in the web application.One of the products of Metascan is a vulnerability scanner. It can be used independently by any site owner at the address metascan.ru. With the help of it and scanned landing projects. True, Metascan notes that this check only reveals vulnerabilities lying on the surface. Pentest or a deeper analysis allows you to detect the full range of vulnerabilities or to ensure their absence. But a deeper audit requires coordination with resource administrators.
The presence of fraudsters in the Telegram-chat project.How do fraudsters work? They pretend to be members of the ICO team, write private messages to investors and offer to send money to their wallet to receive tokens with a big discount. It is because they communicate with investors one-on-one-one, that there is no point in scammers blocking the general ICO chat. Losses from fraudsters are approximately 5 ETH for each day of the crowdsale. At the same time, fraudsters monitor the emergence of new ICOs and create in advance accounts that simulate the accounts of the project founders and group administrators.
What does Metascan do with such fraud?The team has developed tools and mechanics that allow you to identify such fraudsters. Metascan collects data about the used wallets, location and equipment of the attacker. After that, their accounts are permanently deleted, and the numbers are banned: Metascan is one of the few, if not the only company that provides services not only for detecting fraudulent accounts, but also for removing them from the Telegram messenger.
The public list already contains 124 fraudulent cryptographs, and the Metascan antifraud system contains more than 1,500 unique Telegram accounts used for ICO fraud.
Most of the intruders "live" in Nigeria, working from mobile devices. 43% of all scammers cheat investors with the iPhone, and 57% of scammers use Android-based phones, preferring versions 4 and 7 of this OS.
Here is an example of a real case of the struggle with Telegram-fraudsters:
One of the clients during the marketing campaign sharply increased the scale of fraud. If, prior to its launch, we found and deleted one or two per day, then after several dozens of accounts appeared at the same time, pretending to be members of the project team in Telegram.
For each, we promptly took action, fixing the data and deleting it. It happened that the persistent fraudster registered new accounts, but after 3-5 deletions he gave up and left. In addition, there were constantly fake emails from the organizers, fake Google registration forms, and phishing ads. Around the clock, we were engaged in responding and removing fraudulent content.
As a result, during the countering phishing company, 36 scam accounts were deleted. 3 domains are divided. 1 advertising campaign in AdWords and 2 phishing forms in Google Forms blocked.
More information about the fight against fraudsters in Telegram can be found in the Metascan report.
Contact Metascan:
+7 495 152 1337
david.ordyan@metascan.ru
@david_ordyan (Telegram)
Example of correspondence with fraudsters: