Hackers going after virtual currency are using phone numbers to take over people's devices after which they are able to reset passwords.
Stealing currency from online wallets is apparently not the only motive of the attackers. They have reportedly also held emails and sensitive documents including photographs and other such information to ransom, it was reported.
Attackers simply call phone carriers and request them to transfer control of a target's mobile number to a different phone that they have after which they take over a number of devices through the data on the "hacked" phone, reports the New York Times citing a Federal Trade Commission (FTC) report. According to the FTC, phone number hijacking has been an ongoing scam since as early as 2013.
All that the attackers have to do, according to the report, is to reset every password that makes use of the phone's number as a security backup and this includes Facebook accounts, Google services, and other social media outlets.
Of particular interest to hackers are people with valuable online accounts, specifically those who make use of virtual currency. Chris Burniske, a virtual currency investor, who fell victim to such an attack, told the Times that after he lost control of his phone number, his iPad, phone and computer restarted. The report details that within minutes, his virtual wallet's password had been reset and he lost about $150,000.
"Everybody I know in the cryptocurrency space has gotten their phone number stolen," said Joby Weeks, a Bitcoin entrepreneur.
Such incidents have reportedly affected a number of prominent people, but they do not seem to want to admit it publicly.
In Weeks' case, it was not just a case of him losing control of his number. His family was attacked the same way and he went on to lose nearly a million dollars in virtual currency in spite of the fact that he requested his phone company to provide additional security for his number, he said.
Virtual currency transactions are not reversible, according to the report, and the attacks are concentrated around people who are virtual currency enthusiasts, or those who seem to discuss or post about them on social media. People who are known to own, invest and trade through virtual currencies are reportedly targeted.
According to NYT, traditional banks and brokerage firms may not be as big a target of this style of attack simply because "unintended and malicious" transactions are easily reversed by the institutions if they are caught early.
Apart from the money and virtual currency aspect, the attacks have reportedly exposed a major flaw in the phone-based account verification process that many sites make use of.
"It's really highlighting the insecurity of using any kind of telephone-based security," said Michael Perklin, chief information security officer with virtual currency exchange ShapeShift, whose several employees fell victims to such attacks, according to the report.