The World Wide Web is transitioning to Web 3.0 which is being driven by advancements in cryptocurrency, blockchain technology, decentralized applications, and decentralized file storage. A central component of this transition is the development of a 3-D experience known as the metaverse which is the next iteration of both social media and the Internet. The metaverse brings with it a whole host of unique challenges and security risks along with new takes on old strategies.
Cisco Talos, one of the world’s largest private threat intelligence teams with unparalleled insight into the threat landscape, recently looked at the pervasiveness of threats and scams in the metaverse. They identified new takes on old threats and entirely new scams and threats only found in the Metaverse.
“Recent security research by Cisco Talos has shown that the Metaverse landscape appears ripe for cybercriminals. Whether they are translating old threats in the new Metaverse space, leveraging time tested social engineering and phishing techniques of the past or beginning to craft new technical attacks to make money in new ways the cybercriminal game is growing,” said Fady Younes, Cybersecurity Director – Cisco Middle East and Africa.
The growing popularity of digital currency has resulted in greater use of Ethereum Name Service (ENS) domains. ENS domains are an easy to remember name used to find the associated cryptocurrency wallet address. This has led to popular domain names being trademarked and resold by third parties. As a result, nothing prevents the owner of an ENS domain from using that name to trick unsuspecting users into believing that they are dealing with a legitimate organisation. In addition, these ENS domains point to wallet addresses, so any person can inspect the contents of the wallet associated with the name at any time.
Adapting to a new technology often comes with the threat of social engineering and Web 3.0 is no exception. The vast majority of security incidents affecting Web 3.0 users stem from social engineering attacks such as cloning wallets. Users should be careful not to be tricked to share their “seed phrase”. In the event that a cryptocurrency wallet is lost or destroyed, a user can recover their wallet, and all of its contents, using a 12 to 24 word “seed phrase” which is essentially, their private key. Anyone with knowledge of the seed phrase (private key) can clone a cryptocurrency wallet and use it as their own. Thus, many cybercriminals who are seeking to steal cryptocurrency or NFTs (non-fungible tokens) target a user’s seed phrase.
Beware of fake customer support agents
Another method attackers use to separate users from their seed phrase is to pose as a customer support agent offering responding to publicly posted Twitter or Discord server requests from users. Criminals monitor these channels and will contact users to offer “help” – ultimately bringing them to share their seed phrases.
Whales are high profile cryptocurrency accounts that hold a large amount of crypto currency or NFTs. Some estimates report that 40,000 whales own 80% of all NFT value and as such are an attractive target for cyber security criminals. Scammers know that many smaller investors watch these whales’ wallets and will therefore socially engineer them into investing in their own fake projects. Most legitimate NFT projects freely publish their source code for their smart contract. The fact that this project’s code has not been published should be a red flag for potential investors.
Malicious smart contracts
While some attackers focus on exploiting bugs in legitimate smart contracts, other attackers take a different approach, and write their own malware which is placed onto the blockchain in the form of malicious smart contract code.. Malicious smart contracts have all the standard smart contract functions but behave in unexpected ways.