The world of ICOs is not very safe. Hackers and scammers are commonplace and news stories of millions of dollars of untraceable cryptocurrency being stolen have become almost expected. Even many ICOs themselves have proven to be nothing more than money-making schemes. Though our ICO has been evidenced as quite transparent and ethical, this doesn't prevent external bad actors from stealing from people trying to participate in our ICO. In this article we'll discuss the techniques used by scammers, and the ways we can notice, avoid, and protect ourselves from those techniques.
Background: social engineering
A good thing to keep in mind when considering your security online is social engineering. When we picture hacking, most of us think of geeks typing blindingly fast in order to break into computer systems and steal data or money. But in most cases the weakest link in these computer systems is actually the humans that use the systems.
The most effective breaches of security are carried out by misleading a person into giving away information that otherwise wouldn’t be accessible to an outsider. This is called social engineering.
Phishing is when malicious parties attempt to obtain passwords or other private information by pretending to be a trusted entity.
For example, imagine you receive an email from firstname.lastname@example.org which says you need to reset your password for security reasons, and includes a link for you to do so. Imagine you click the link and enter your password. Now, whoever set up that fake email pretending to be Holo (note the zero in place of the o) has your password and can do whatever they want with your account. This is phishing.
Here are some ways attackers may try to steal your personal data or money using phishing, and how to avoid falling for the bait.
Attackers may send emails pretending to be from Holo and requesting you share personal information, send ETH, or click links.
Whenever you receive and email from Holo, check what address it’s being sent from. Messages from Holo will always be sent from an address ending in holo.host. If you receive a message that claims to be from Holo, but is from a different address, DO NOT TRUST IT.
Also, attackers could also send a spoofed email to you that looks just like it came from Holo. Holo will NEVER ask for sensitive information in an email! If you receive an email asking for personal information like your password your financial details, or asking you to send ETH to an address, it is not from us!
NEVER share private information in response to an email no matter who it looks like it's from. Only share information with Holo at one of our domains using a secure connection. You should see a green lock in your address bar.
Contact Holo support if you have any doubt about the validity of a message you receive.
Phishing in community chatroom (Mattermost)
Phishing might also happen in the Holo/Holochain public chatroom. Attackers might pose as admins or team members and give out false information in order to steal money or information. Check this list of certified Holo team members and their Mattermost usernames before trusting communications on Mattermost.
Make sure the username is exactly the same as in the list, character for character. Attackers may try to mislead you by slightly changing the spelling of a username or adding punctuation. There are no official Holo team accounts with admin or holo in them.
If you spot a Mattermost user attempting to impersonate a Holo team member or admin, ALERT A TRUSTED TEAM MEMBER or EMAIL HOLO SUPPORT!
Other possible scams
Another way attackers may attempt to steal your ETH is through the use of fake sites that claim to be the Holo ICO. Don’t let fake sites or other scam information fool you.
A very common way that funds are stolen from potential ICO participants is through a fake presale page. There is no presale of HoloTokens (HOT). If you are contacted about a pre-ICO or presale of HoloTokens, DO NOT SEND ETH.
Fake ICO site
Our ICO site displays the progress and stats of the ICO, and allows you to view the ICO’s Ethereum address and participate by sending ETH. Attackers may create fake versions of this site to get you to send ETH to them instead of Holo. The ICO site is always and only found at the following URL: https://ico.holo.host
If you find a site claiming to be the Holo ICO at a different URL, DO NOT INTERACT WITH IT! Let the Holo team know about the site so we can take appropriate action.
Fake ETH address
Another tactic attackers might use to steal your ETH is to display a fake ETH addresses and try to get you to send ETH to it instead of to the correct Holo ICO smart contract address.
The only places our ICO’s Ethereum address will be displayed are the following:
The ICO site
Our ENS (Ethereum Name Service) name: ico.holo-host.eth
A video embedded in the ICO site in which a recognizable Holo team member reads out the last six digits of the address.
Addresses displayed in other places should not be trusted.
The safest way to send ETH to our ICO smart contract is to visit the ICO site using MetaMask and utilize our dApp on that page to generate a transaction. As long as you’re on the correct ICO site, using this method negates the risk of a typo or a fake address compromising your funds.
Learn how to do this in our guide Participating in the Holo ICO – Part 2: Purchasing HoloTokens. However, if you must send ETH to our contract address manually, visit the ICO site and carefully read and follow the instructions labeled IMPORTANT SECURITY INFORMATION under the Ethereum address.
Fake social media pages
Attackers may also try to trick you using fake social media accounts that pretend to be Holo. All of our official social media accounts that may post about Holo’s ICO are listed:
The Metacurrency Project, Ceptr, and Holochain are also related to Holo and may post Holo-related content.
If you have any doubt about a social media page you’ve encountered being legitimate, email our support team at email@example.com.
Personal security is as important as anything. ETH is real money with real value and should be treated as such. Your private keys and account passwords should be kept secret with the same care that you would keep secret the code to your bank account, for example.
Using hardware wallets like the Ledger Nano S to keep your cryptocurrency secure is recommended. Hardware wallets make sure that the private keys to your accounts never need be entered into a computer where they could be stolen. For more information on setting up secure cryptocurrency wallets, see our guide “Setting Up an Ethereum Wallet”.
Strong passwords are very important. Weak, unoriginal, or common passwords can be cracked using brute force in mere milliseconds. Please use strong, unique passwords for your Mattermost (chat.holochain.org) and ICO verification (verify.holo.host) accounts, along with all your crypto wallets.
But remember, however strong your personal security you are still vulnerable to scams that involve tricking you to voluntarily send money or information to attackers.
The unfortunate truth is by even showing interest in the Holo ICO, you have become a target for malicious scammers and hackers. But, it’s not too hard to defend yourself from these attacks. Think twice before sending ETH, and when giving out important information like passwords. Check the URLs and addresses of sites you visit and emails you receive to make sure they’re real. And most importantly, make yourself heard if you have any concerns or questions. We’re always here to help, and we won’t mind your taking a few moments of our time to check the security of something—in fact, we appreciate it!
Ways to securely reach the Holo team: