Search This Blog

Powered by Blogger.

Blog Archive

Labels

How Threat Actors are Using IPFS for Email Phishing

The objective of phishing letters with IPFS links is often to gain the victim's account username and password.


InterPlanetary File System (IPFS) is a peer-to-peer distributed file system, that allows users around the world to exchange files. Instead of using file paths for addressing like centralized systems do, IPFS uses unique content identifiers (CID). The file itself stays on the user’s computer which had “uploaded” it to IPFS and downloaded directly from the computer. By default, a special software is needed to upload or download a file to IPFS (IPFS client). The so-called gateways are offered so users can browse the files stored in IPFS freely without installing any software. 

In 2022, threat actors conducted malicious activity by using IPFS for email phishing campaigns. They upload HTML files containing phishing forms to IPFS and use gateways as proxies so that users can access the files whether or not an IPFS client is installed on their devices. In addition, the scammers included file access links through a gateway into phishing messages forwarded to targeted victims. 

A distributed file system is used by attackers to reduce the cost of hosting phishing pages. Moreover, IPFS makes it impossible to erase files that have been uploaded by third parties. One can request that a file's owner delete it if they want it to totally disappear from the system, but cybercriminals will almost certainly never comply. 

IPFS gateway providers manage to tackle IPFS phishing attacks by consistently deleting links to fraudulent or suspicious files. 

Still, the detection or deletion of links at the gateway level do not always happen as quickly as blocking phishing emails, cloud files, or document. The URL addresses initially came to light in October 2022. As of right now, the campaign is still ongoing. 

The objective of phishing letters with IPFS links is often to gain the victim's account username and password, the reason why they barely contain very creative content. What is interesting about this tactic is where the HTML page links go. 

The recipient's email address is contained in the URL parameter. The email address given in the login box and the corporate logo at the top of the phishing form will both change, once modified. This way, one link can be utilized in a number of phishing campaigns targeting a variety of users. 

In late 2022, Kaspersky discovered two – 15,000 IPFS phishing letters a day for most of the time. This year, IPFS campaigns have begun to escalate, reaching more than 24,000 letters a day in January and February. February became the busiest month in terms of IPFS phishing activities, where researchers discovered a whooping 400,000 letters, a 100,000 increase from November and December 2022. 

In regards to this, Roman Dedenok, a security expert at Kaspersky commented “Attackers have and will continue to use cutting-edge technologies to reap profits. As of late, we have observes an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at the IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.”  

Share it:

Cyber Attacks

Email Phishing

InterPlanetary File Syste

IPFS

Kaspersky

Phishing Attacks

Phishing Campaigns