In the last couple of years, cyber criminals have taken advantage of blockchain technologies to keep their websites and domains secure from takedown attempts by authorities. At the same time several fraudsters have also marketed “dedicated host servers” as hack-proof to other cyber-criminals, thereby accelerating their use of blockchain technologies.
The inherently 'secure' nature of blockchain, which ensures that enterprises can organise their applications in a way that such applications are not managed by a central authority and individual users can edit or update parts of the blockchain based on their rights, has ensured that the technology has found favour among cyber-criminals who are intent on either masking or hiding their malicious operations.
According to a report from security firm RSA, cyber-criminals are now hosting their websites on the blockchain and are also registering their domains using a blockchain-based DNS. By doing this, they aim to ensure that authorities are not able to access their websites or reroute their domains, thereby ensuring the sustainability and secrecy of their operations.
The report added that blockchain technologies will be used more and more in the coming days by cyber-criminals to launch new fraud schemes as the use of blockchain-based DNS ensures that one cannot access a website unless he/she possesses special extensions on the browser which is not available to end-users.
Even though blockchain adoption has skyrocketed in the recent past, it also has its share of weaknesses. For instance, if a hacker manages to obtain private keys by phishing an unsuspecting employee, the hacker can use such keys to gain access to the blockchain and drain it of all relevant information.
Commenting on the increased use of blockchain technologies by cyber-criminals, Tim Ayling, EMEA director of fraud & risk intelligence at RSA Security, told SC Magazine UK that even though blockchain is a new frontier when it comes to fraud, it still offers an obvious opportunity to cyber criminals.
"Usually, when high-profile retail and ecommerce sites are spoofed, governments and security organisations are well-practiced at pulling these sites down quickly and efficiently, removing the risk for the user. However, when hosted in the blockchain, the option of pulling down sites via a central mechanism is removed, leaving fraudulent sites free to swindle whoever they please.
"This means that even on the blockchain, the battle against fraud will be fought at the transaction layer; just as the banks step in with risky transactions in regular online transactions, more will need to be done to prevent fraud in the blockchain environment.
"For users, this means even more education and training will be required, so that potential victims can recognise risky behaviour on the blockchain. There is already some progress being made here, with a number of security extensions available to highlight when blockchain-hosted sites aren't properly secured," he added.
Charl van der Walt, chief security strategy officer at SecureData, believes that even if some cyber-criminals use the blockchain to hide their own designs, they will do little to change the fundamentals as law enforcement agencies will always find ways to track their activities and to thwart them to keep pace with the changing cyber-crime landscape.
In an email to SC Magazine UK, he added that the development of blockchain will follow the predictable adoption cycle where new technology developed in the academic or R&D arena gets adopted in the commercial arena and put to good use but becomes better understood and eventually commoditised as use cases justify its value.
"Eventually, the bad guys start perceiving its usefulness for the ‘problems' they face, adopting it as required – in this case, blockchain. Agencies themselves will then see it as a necessary step to be able to counter such technology for their gain. However, we may not see or hear how exactly in the very near future, as law enforcement will more than likely not want to show the world how their toys work.
“As it stands, the fact that criminals may be using blockchain doesn't really matter in the long run, as security is a basic resourcing problem. We expect the good guy to consistently and continuously address new threats one after the other. The basic issues remain the same and it doesn't matter fundamentally if we're dealing blockchain or any other trendy new technology," he added.
Ed Williams, Director, EMEA of SpiderLabs at Trustwave, also said that even if cyber-criminals adapt to and embrace new technologies like blockchain before everyone else, it will not stop blockchain from becoming mainstream for organisations.
"Where the criminals go everybody else follows, they are quick to adapt to and embrace new technologies and we, as the security industry, tend to follow them, or at least be a step behind them, and I see no difference here," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout