Due to fresh Kaspersky research, fraudulent use of the InterPlanetary File System appears to have surged recently. Since 2022, fraudsters have leveraged IPFS for email phishing attacks.
IPFS is a peer-to-peer network protocol that allows for the creation of a decentralized and distributed web. Unlike standard web protocols, which rely on centralized servers, IPFS allows users to share and access files without the need for a centralized authority.
IPFS identifies files based on their content, not their location.
Each file is assigned a unique cryptographic hash called CID; the content identifier can be used to get the file from any network node that has a copy. This makes it simple to distribute and access content even when the original source is unavailable.
IPFS is also a content-addressed system, which means that any modifications to a file generate a new hash. This keeps files immutable and tamper-proof.
IPFS material can be accessed via a specialized application programming interface or gateways, which are accessible via any web browser. The URL used to reach the gateway contains the CID and the gateway name, however, it may differ from one gateway to the next. For instance, it may be:
- https://gateway/ipfs/CID
- https://CID.ipfs.gateway
In a typical phishing attack, the target is lured to visit a false phishing page, which steals their passwords and possibly their credit card information; however, this fraudulent page can be hosted on IPFS and accessed through a gateway.
The implementation of such a mechanism allows attackers to minimize the expense of hosting the phishing page while also making it more difficult to remove false information from the internet because it may be present on multiple machines at the same time.
If a user clicks on a phishing link and provides their credentials, it is critical that the user reset their password as soon as possible and investigates whether there has been any fraudulent activity with that account. According to Kaspersky, most IPFS phishing attacks are similar to traditional phishing, however, in certain circumstances, IPFS is utilized for intricate targeted attacks.
The eradication of phishing pages from IPFS material is more difficult. Typical phishing pages can be removed by requesting that the web content provider or owner delete them. Depending on the host, that operation can take a long time, especially if it is hosted on bulletproof providers, which are illegal hosting providers who assure their customers they do not respond to law enforcement requests and do not remove information.
IPFS content takedown operations differ in that the content must be removed from all nodes.IPFS gateway providers try to counteract fraudulent pages by deleting links to those files on a regular basis, although this may not always happen as quickly as blocking a phishing website. On March 27, 2023, Kaspersky researcher Roman Dedenok wrote that the company has "observed URL addresses of IPFS files that first appeared in October 2022 and remain operational at the time of this writing."
There were 2,000-15,000 IPFS phishing emails per day as of late 2022. In 2023, IPFS phishing began to grow in Kaspersky's volumetry, with up to 24,000 emails per day in January and February; however, the levels soon returned to the same values as in December 2022. In accordance with monthly statistics, February was a busy month with about 400,000 phishing emails, while November and December were roughly 228,000 and 283,000, respectively.
How to Avoid the IPFS Phishing Threat
Anti-spam systems, such as Microsoft Exchange Online Protection or Barracuda Email Security Gateway, will assist in detecting IPFS phishing and blocking links to it, just as they would in any other phishing situation.
Users should be taught about phishing emails or any other type of phishing link that may be sent to them via various channels such as instant messaging and social networks. To prevent unauthorized access, use multifactor authentication. Even if attackers gained login credentials through phishing, this will make it more difficult for them to get access.