Since the beginning of 2022, things aren’t in favour of cryptocurrencies. From major cryptocurrencies like Bitcoin and Terra to Memecoins like Shiba Inu, every single cryptocurrency is suffering. But when things are going bad for various crypto projects, the metaverse is becoming the canter of attraction. And seeing the massive interest in Metaverse, cybercriminals have started to target users with phishing attacks crafted around various Metaverse platforms. According to the Q4 2021 brand phishing report by Check Point Research, Metaverse platform Roblox was the 8th most imitated brand for phishing attacks during the quarter. Though Roblox accounted for only 3% of all brand phishing attacks, it’s the first-time brand phishing around a Metaverse platform has made it to the top ten. This article features how after the failure of cryptocurrencies, phishing attacks are pirating towards the metaverse.
“In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face – literally – like an avatar who impersonates your co-worker, instead of a misleading domain name or email address. These types of threats could be deal-breakers for enterprises if we don’t act now.”
Brand Phishing Attacks
Brand phishing attacks have been quite effective as targets are more likely to click on them to get more information. The metaverse broadly refers to the idea of a virtual platform that can be accessed through different devices and where people can move through digital environments.
Given the huge interest in Metaverse in India, brand phishing attacks around it can be expected to grow more. According to the November 2021 report by DappRadar, more than half a million users in India have shown interest in Metaverse projects and NFTs, the third-highest in the world after the US and Indonesia.
In brand phishing attacks, threat actors send carefully crafted fake emails that appear to have come from the brand itself or one of its partners. The objective is to convince users that the email is genuine and then trick them to click on malicious links or attachments. The ultimate goal is to get into their accounts and system and steal personal information or banking credentials.
Bored Ape Yacht Club Phishing Attack
Scammers behind the phishing attack faked that users would access the most significant NFT avatar, Bored Ape Yacht Club, by clicking on the provided link. And to make it real, the pop-ups featured an ape skull logo alongside the now-defunct domain, nftapes.win. Per the WHOIS lookup, the domain from where phishing attacks were being generated was registered on Friday, around 3:00 PM. ET.
The ad required users to connect their MetaMask wallets to use it on the site. Web 3.0 technology allows MetaMask wallets to authorize access to websites via smartphones and browser extensions. And since the fraudsters managed to place dodgy advertising scripts on reputational sites which have a trusted relationship with their audiences, many users fell into the trap and provided access to their wallets.
In order to avoid unnecessary phishing attacks, it would be advisable to wait and reconsider joining the metaverse. A congressional investigation of metaverse security and privacy practices will force changes in response to the “inevitable breaches.”
But the truth is, social media managers, brand advocates, and early NFT speculators will probably ignore this advice as many of them cannot wait to jump into the metaverse. Those who want to join the metaverse right away should ensure that they have enabled multi-factor authentication on their accounts to prevent the easiest type of account takeovers.
In the future, the metaverse could bring its own unique threats that take advantage of the anonymity afforded by the platform. Recently, the “deepfake,” one of the newest types of misinformation attacks that uses a form of artificial intelligence called deep learning to make images of fake events, was deployed during the war in Ukraine to perpetuate a false Ukrainian surrender. Hence, living in the metaverse won’t be as easy and fun as you thought because just like cryptocurrencies, this technology also comes with many risks including phishing attacks.