Vintage Keys over black leather book cover and wooden table, top view
A MultiSig wallet is a digital wallet that operates with multisignature addresses. This means that it requires more than one private key to sign and authorize a crypto transaction or, in some cases, that several different keys can be used to generate a signature.
From a security perspective, it is vital that coins and tokens are stored in a way that eliminates the risk associated with a single vulnerable point that can compromise the entire wallet. If only one private key is necessary to sign a transaction, this presents a major risk to your assets in case of theft or loss.
Multi-signature means it is possible to require multiple people to authorize certain actions in the account.
In our example we will be learning, how to create multisignature wallet based on XPR Network blockchain technology.
We advise anyone to follow this tutorial by creating account in testnet environment, before moving to mainnet.
Let’s go ahead and look up our account throughexplorer.xprnetwork.org. Log in with account that you want to convert to msig account.
Navigate to Wallet – Keys and Permissions and choose Advanced mode.
By default XPR wallet has 2 native permissions:
Owner: The Owner permission is the “root access” to your XPR wallet and symbolises ownership of the account. This key is needed to make any changes to the ownership the account.
Active: used for transferring funds, voting for producers, buying ram, etc.
Each permission has one key associated with it. Each key associated with a permission has a certain weight, and each permission has a certain weight threshold which needs to be met before a transaction requiring that permission is approved.
Now let’s change our keys to msig associated accounts.
Again navigate to Wallet – Keys and Permissions and choose Advanced mode. First we will change active permission by removing associated keys (click on X to remove it). Set threshold to 2 – this will mean that any proposal will be approved by 2 of 3 accounts.
Add accounts down bellow like it is shown on picture. Each account can have weight of 1. For the sake of learning – we dedicated to assign to first account (msig11) weight of 2 – meaning that this account has higher permission and can individually approve any proposal. You can use for all accounts weight of 1.
Here is an example of fully executed transaction just by approval of msig11, which holds weight of 2.
Add Waits “Optional”
To the right you will notice the “Add Wait” button which allows you to add “time” as an additional permission for your account if you want. In this example, waiting 3600 seconds (1 hour) will have a weight of 1.
After you are satisfy with your permissions you can save and move to owner permission.
Again each account can have weight of 1 or higher than that. Repeat all the steps by removing key and adding accounts to our new msig wallet.
Our new permissions should look like this:
We have changed our account to fully msig account – meaning that any action from this account will need two of three approvals to create any action and execute it.
VIDEO: How to create fully msig wallet (using #XPRNetwork testnet)
In this example we’ve changed our account to fully msig – meaning that any action from this account will need 2 of 3 approvals to create any action and execute it.
(Caution: This is just a demonstration; it is not recommended to store keys of multisig accounts on a server!)
VIDEO: Creating a transfer from an msig account (using #XPRNetwork testnet)
We created an msig proposal for transferring funds from a multisig account to another account, approved 2/3, and executed the transfer. 1/3 will not work, since we’ve set threshold to 2.
Msig account can be created in various ways, some msig accounts will leave owner key and change only active permissions.
In next tutorial we will explain how to make msig transactions, until then feel free to ask any question related to creation of msig account.
Subresource Integrity (SRI) is a security feature that helps browsers ensure that files they download (like JavaScript or CSS from a CDN) haven’t been tampered with. It does this by allowing the developer to include a cryptographic hash, which the browser checks to verify the file’s integrity.
The Problem
If a content delivery network (CDN) is compromised and someone alters the JavaScript or CSS files hosted there, every website using those files could be at risk. For instance, if a JavaScript file loaded from a CDN is modified by an attacker, it could lead to dangerous outcomes like stealing user data, altering content, or even taking down a site (denial-of-service attacks).
The Solution
By using SRI, you can “lock” a resource to a specific version using a cryptographic hash. This hash, which you provide in the integrity attribute, ensures that if the file changes, the browser won’t load it.
SRI is essential when loading external JavaScript or CSS resources and should always be used with HTTPS. If the content has been altered in any way, browsers that support SRI will block the file from loading.
Additionally, for SRI to work, CDNs must allow cross-origin access by setting the Access-Control-Allow-Origin header (CORS).
Ponzi Scheme vs. Pyramid Scheme: A Comparative Overview
A Ponzi scheme is a fraudulent investment scam where returns to earlier investors are paid using the contributions from newer investors, rather than through legitimate profit-generating activities. In contrast, a pyramid scheme relies on continuous recruitment, with returns generated from fees paid by newly recruited participants, rather than by selling actual products or services.
Both Ponzi and pyramid schemes prey on unsuspecting individuals, lured by the promise of extraordinary returns. While these schemes may initially appear profitable, they can only survive as long as new investors keep joining. When the influx of new participants slows down, these schemes inevitably collapse, leaving the majority of participants at a loss.
Although Ponzi and pyramid schemes share common elements, such as deceptive promises of high returns, they differ in their structure and the way they operate. Both, however, can cause severe financial harm when they unravel.
Key Differences Between Ponzi and Pyramid Schemes
Ponzi schemes involve investors entrusting their money to a fraudulent portfolio manager, who uses funds from newer investors to pay earlier ones.
Pyramid schemes rely on recruiting new members, with the money flowing from newer recruits to those higher in the structure, often in exchange for the right to sell a product or service.
Both schemes promise exceptional returns but rarely provide any legitimate financial documentation or proof of profitability.
Understanding Ponzi Schemes
Ponzi schemes involve fraudulent investment management, promising significantly higher returns than standard investments. The scam works by using the funds of new investors to pay returns to earlier ones.
Here’s how it typically unfolds: Investors hand over their money to a person posing as a portfolio manager, who promises high profits. When investors request their returns, they are paid with funds contributed by later investors, creating an illusion of profitability.
The orchestrator of a Ponzi scheme controls the entire operation but doesn’t actually invest the money. Instead, they move funds between clients, keeping the cycle going until it eventually collapses due to a lack of new investors.
Red Flags of a Ponzi Scheme
If you’re concerned you might be involved in a Ponzi scheme, look for these warning signs:
Unrealistic promises of high returns: Be cautious if you’re guaranteed significantly higher returns than typical investments offer.
No risk claims: Every investment carries some level of risk. Claims that your money is entirely safe are often a red flag.
Lack of proper registration: Legitimate investment managers are licensed and regulated. Always verify the credentials of anyone offering to manage your money.
Complex or unclear investment strategies: If you don’t understand how your money will generate returns, the scheme is likely fraudulent.
Missing paperwork and payments: Be suspicious if you don’t receive regular statements or if promised payments are delayed or missing.
Understanding Pyramid Schemes
Pyramid schemes operate differently from Ponzi schemes by focusing on recruitment. The initial schemer recruits others, who are then tasked with recruiting more people, creating a hierarchy of participants.
Those at the top of the pyramid benefit the most, earning more as they attract new recruits. Money from these new recruits is distributed to those higher up in the pyramid, but people at the bottom often lose out, especially if they cannot recruit others to join.
Some pyramid schemes disguise themselves as business opportunities, where participants are promised the right to sell a product or engage in multi-level marketing (MLM). However, the primary goal remains recruitment, with new participants paying fees to those above them in the hierarchy.
Red Flags of a Pyramid Scheme
Signs you’re dealing with a pyramid scheme include:
Recruitment is key: Pyramid schemes emphasize recruitment over product sales, and participants usually must pay a fee to join.
Promises of quick money: Fast, high returns are often promised, but these returns are usually funded by new recruits rather than actual business activities.
Passive income promises: Many pyramid schemes offer returns without requiring any real work. In reality, this income typically comes from fees paid by new recruits.
Lack of financial transparency: Pyramid schemes rarely provide audited financial statements, making it difficult to understand where the money is coming from.
Confusing payment structures: If you can’t clearly understand how profits are generated or how the commission structure works, it’s likely a scam.
Summary
While Ponzi and pyramid schemes differ in their structure, both prey on the trust of investors by promising unrealistic returns. To protect yourself, always scrutinize potential investment opportunities and look for signs of fraud.
We are presenting our latest investigation about the scam currently prevalent in Slovenia. In this scheme, scammers randomly call individuals, posing as (unlicensed!) brokers and offering assistance with investments on their platforms, promising profits while guiding them through the process. Our findings reveal that this is clearly a fraudulent activity.
We also had the opportunity to make direct contact with the scammers, allowing us to gather valuable information. This insight will help people understand how this scam operates and why they (users) should avoid such investment offers.
Caller ID spoofing
Caller ID spoofing involves altering the caller’s number displayed on the recipient’s phone. This is done by manipulating the signaling data in the call setup process, typically using VoIP systems or specialized software, to replace the true number with a fake one. This technique is often exploited for deceptive or fraudulent purposes.
During our interactions with them, we noticed that the scammers used a variety of phone numbers. Most of these were spoofed Slovenian numbers (041, 031, 040 …), but on a few occasions, they mistakenly called us from their VoIP numbers.
If we had dialed the spoofed Slovenian numbers, we would have either reached random individuals unaware of the scam or encountered numbers that simply don’t exist, as confirmed by the operator.
Here are some numbers that we gathered during our investigation:
Upon investigating these numbers, a HLR lookup revealed that they are VoIP numbers. Further digging indicated that the scammers rented these services from Belgacom International Carrier Services.
Domain Collection
Here is the visual graph displaying the list of scam domains associated with this type of scam that we analyzed.
Here is the visual graph displaying the list of scam trading platforms associated with this type of scam.
With so many domains linked to these scams, we won’t focus on just one case. Instead, we’ll use multiple sources to show how this scam works. It’s important to keep all of this in mind because there are several warning signs that you should be aware of.
At first glance, many of these websites seem convincing (using professional designs), but they’re hiding crucial details from potential victims. Most of them don’t provide proper company information – usually just an email and sometimes a phone number. What’s even more concerning is that some sites do list a company name and address, but those often turn out to be fake, with the addresses belonging to completely different businesses.
Fake Company details
This website is using an address that belongs to a different company, and no business associated with the website is actually located there.
Sometimes, they deliberately choose addresses of legitimate companies offering similar services, like financial advisory, to confuse users. This tactic makes it seem like the scam website is linked to a legitimate business.
Here is another case of a completely different company that is not associated with this scam website
What we’ve found is that, in most cases, there isn’t enough information about the company behind the website. Typically, you’ll only find an email address, which is a significant red flag and something you should be aware of.
Trading Under Risk
Scam websites often use generic terms like “the Company” in their terms and conditions to create an illusion of legitimacy, deliberately avoiding the disclosure of specific, verifiable information to obscure their true identity and evade accountability.
One characteristic circumstance found on every illicit trading portal are the risky terms. By that, of course, we mean the abnormally high leverage, which reaches a maximum ratio of 1:400 on their platforms.
To make the deal even more attractive, the scammers claim there’s no trading commission involved, spreads are only described as “tight” and there’s zero other fees.
Since this is the main source of income for every brokerage brand out there, it’s impossible that the firm charges nothing for any of their services. It’s only logical to conclude these statements are pure fabrications.
Here is another red flag:
4.2. The Company has no responsibility for any acts or omissions of any third party to whom it will pass money received from the Client.
Here is another red flag condition:
13.7. The bonus and profits can only be withdrawn once the minimum trading requirements outlined above have been met. By accepting the deposit bonus, the Clients may NOT withdraw the trading profit funds at any time and nor the bonus funds they received until minimum trading requirements have been met. The Client may also withdraw the funds they deposited at any time, but not the trading profit funds and bonus until minimum trading requirements have been met.
This clause is a red flag because it creates significant barriers to withdrawing any funds, including trading profits. Scammers often use these conditions to prevent clients from accessing their money, making it nearly impossible to withdraw anything beyond the initial deposit until onerous trading requirements are fulfilled. This tactic is commonly employed to trap clients’ funds and discourage them from withdrawing their money.
These are just a few examples of the extremely risky terms and conditions found on a scammer’s website.
Check Social Media Accounts, Google Results, and User Reviews
Always verify if the website appears in Google search results, as many of these domains are often hidden from search engines. Additionally, be sure to review user feedback, but remember that some reviews might be fake. We’ve also discovered that scammers sometimes use social media accounts from other companies, or they create their own accounts with very few or no followers.
We recommend using our Domain Inspector tool Xprotect, a tool specifically designed to analyze domains for any suspicious activity.
Shady Background Companies
Some victims shared information about where the stolen funds were sent (Bank Accounts), and with that given information we collected details on companies linked to this scam. These companies were registered in various countries, including Lithuania, Poland, the Czech Republic, and England.
The first company involved in receiving multiple transactions from victims is Linerum OÜ (16456305), which is owned by Elena Siampouri.
Elena Siampouri is registered as management board member.
Gilberus s.r.o. (17275644), is registered company in Prague – Czech Republic, owner of this company is Maksimas Žuravliovas.
Junik (5242966861), registered in Warszawa – Poland, owned by Leszek Bernat.
Barelon LTD (13870000), registered in London – England, owned by Diego Lina.
All these companies were involved in receiving stolen funds from victims. However, it is unclear whether the scammers used these companies as money mules or if they were registered using stolen identities. The connection to these companies is based on victim reports indicating that money was sent to them. Further investigation is needed to determine the exact nature of their involvement.
Increase your level of critical thinking online, especially when it comes to investing money and similar activities.
How to Identify a Broker Scam
Check if Broker is Registered: Most people use BrokerCheck to verify if their broker is registered and legitimate. It provides information about the investment advisors within the firm and the types of securities they are authorized to handle.
Overly Friendly Communication: Scammers may be unusually kind or accommodating in their interactions to gain your trust.
Caller ID Spoofing: They might use different phone numbers, often employing caller ID spoofing through VoIP technology to mask their true identity.
Lack of Company Information: Scammers typically avoid providing detailed information about their company, raising red flags.
Fake Company Details: Even if you find a company address or other details, they might have stolen these from legitimate businesses. Sometimes, a Google Maps search will reveal that the address belongs to another, unrelated company.
Unlisted or Suspicious Websites: Their website might not appear on Google searches, and they may use multiple, non-verified domains to operate.
Social Media Presence: Check their social media links, as a lack of legitimate, active accounts can be a warning sign.
Suspicious Free Services: Offering free services or advice can be a tactic to lure victims, signaling something might be amiss.
Poor Contact Information: Sparse or unprofessional contact details, even if they provide more than just an email, should raise concerns about the legitimacy of the business.
Fake Reviews: Be cautious when checking online reviews, as scammers often create fake positive reviews to make their operation appear legitimate.
Review Terms and Conditions: Always read the terms and conditions of service carefully. Scammers often omit company details and include suspicious clauses that put users at high risk.
All the information gathered in this investigation was collected ethically. This research was not sponsored by any third parties, and our goal is to protect as many users as possible.
Zero Trust Security is an approach to cybersecurity that challenges the traditional notion of trust within a network. It operates on the principle of “never trust, always verify.” In a Zero Trust model, no user or device earns automatic trust, regardless of location, inside or outside the network perimeter.
Why You Should Adopt Zero Trust Security
As cyber threats evolve, traditional security measures are losing their effectiveness. The rise of cloud services, mobile devices, and remote work has made the traditional network perimeter porous. Enter Zero Trust Security: a solution that tightens access controls and monitoring at every level of your network, reducing vulnerabilities and making it harder for attackers to move around undetected. Here’s why adopting Zero Trust Security is crucial for your business.
The Main Principles of Zero Trust Security
Zero Trust Security operates on several key principles that collectively create a robust cybersecurity framework:
Principle 1: Verify Every User and Device
Gone are the days of blind trust based solely on network location. Every user and device must undergo rigorous verification before accessing your network. This means employing strong authentication methods like biometrics and multi-factor authentication.
Grant users and devices access only to what they need to perform their roles. This helps contain potential breaches by restricting lateral movement within your network.
Principle 3: Assume Breach
Adopt a proactive mindset that assumes breaches are either happening or imminent. Develop robust incident response strategies to swiftly detect, contain, and mitigate threats.
Principle 4: Microsegmentation
Segment your network into smaller zones with specific security controls. This limits the impact of breaches and minimizes the attack surface.
Principle 5: Continuous Monitoring
Constantly monitor network traffic, user behavior, and system anomalies to detect and respond to threats in real time.
Principle 6: Assume Everything is Vulnerable
Rather than fearing vulnerabilities, anticipate them and implement strategies to mitigate risks. This includes regular patching, penetration testing, and secure coding practices.
Principle 7: Apply Security Controls Adaptively
Adjust your security measures based on real-time threat assessments. Utilize predictive analytics and dynamic access controls to stay ahead of evolving threats.
Principle 8: Comprehensive Backup and Recovery
Implement robust backup and recovery procedures to ensure the resilience of your data and systems. Regularly back up critical data and configurations, storing them securely offsite or in a separate network segment. Test your backup and recovery processes regularly to ensure they are effective in restoring operations in the event of a breach or system failure.
3-2-1-1-0 Golden Backup Rule
Implementing Zero Trust Security
To successfully implement Zero Trust Security, follow these steps:
Assess Your Current Security Posture
Conduct a thorough security audit to identify vulnerabilities and entry points for attackers.
Design a Zero Trust Security Framework
Plan and map out network segments, access controls, and monitoring strategies. Invest in the right security technologies to bolster your defenses.
Establish Policies and Procedures
Keep a close eye on network activities and respond swiftly to emerging threats. Adapt your security controls as needed to stay ahead of attackers.
Zero Trust Security: A Step Closer to Zero Cyber Attack
In an era where digital evolution often equates to vulnerability, the adoption of Zero Trust Security transitions from a luxury to an imperative. These seven principles combine to erect an unassailable digital stronghold, defending against a myriad of cyber threats. The imperative is clear: elevate cybersecurity as a priority, advocate for Zero Trust Security, and foster a vigilant culture. In doing so, you erect barriers against the ceaseless onslaught of cyber threats.
In the field of security awareness and associated training, the term “critical thinking” is thrown about as an effective defense against social engineering attacks. So, what is critical thinking? And how can it be applied in day-to-day activities to make a user or an entire user-base more secure?
According to the Foundation for Critical Thinking, a “well-cultivated critical thinker” gathers and assesses relevant information and comes to well-reasoned conclusions and solutions. One also thinks open-mindedly within alternative systems of thought, while recognizing and assessing their assumptions, implications, and practical consequences.
Let’s break that down a bit. “Gathers and assesses relevant information,” is a very important piece. These days we are overwhelmed with the amount of information we have access to. So, it is vitally important to be able to see through that fog and focus on what is relevant for a given situation.
“Comes to well-reasoned conclusions and solutions,” is a bit more subjective and changes given different circumstances. From a social engineering defense perspective, this often relates to using stated policies and procedures as your guidepost to a well-reasoned solution. If the attacker is asking for information that is proprietary or confidential in nature, then the policies stated by your company should clearly state what to do in that situation.
That last bit, “recognizing and assessing their assumptions, implications, and practical consequences,” is where it all comes together in the mind of a critical thinker. What is going to happen if I give this attacker the information they are asking for or act as requested? The consequence of that action could range from minor to devastating to an individual or company. That needs to be addressed before the action is taken, or at a minimum, if a link was clicked or information was disclosed, it needs to be recognized that a mistake was made and then the individual should report the activity to the appropriate security contact(s).
How do we improve our critical thinking skills?
The primary obstacle to critical thinking is emotion. This is a tactic all social engineers use to subvert the training the user may have received and get them to act even though it may not be in their best interest.
The most common emotional triggers used by attackers are fear, trust, curiosity, and greed. These can be used together or independently to try to flood the target with enough emotion that critical thinking just isn’t possible. That moment can actually be the trigger that critical thinking is necessary for that situation.
When you receive an email or a phone call and, for whatever reason, you start to feel overly emotional about the content or message being presented, that is when you should step back and re-evaluate the situation. Nothing, short of a direct life or death moment, will be adversely affected by an extra minute or two of analysis. That short period of time could be enough for your intellectual mind to see the flaw, danger, or consequence that your emotional mind looked right past.
The ability to effectively think critically really comes down to practice and insight into your own mental state. All of this can be taught as part of a security awareness program, and it will have far-reaching impacts on the daily lives of those that practice it, both personally and professionally as a defense against social engineering attacks.
Take notice if you are emotional in a situation, evaluate the request that is being made, and understand the consequences of taking that action. Be a critical thinker by applying these simple strategies. Well, simple to say but it takes practice to master.
