Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IPFS. Show all posts

IPFS Phishing Attacks: How Cybercriminals Exploit Decentralized File Storage


IPFS Phishing Attacks are becoming increasingly common as more users adopt the InterPlanetary File System (IPFS) technology to store and share files. This decentralized file storage system is designed to provide users with more control over their data and protect them from censorship, but it can also be exploited by cybercriminals to conduct phishing attacks.

How do IPFS Phishing Attacks Work?

Phishing attacks involve tricking users into providing sensitive information such as login credentials or financial data by posing as a trustworthy entity. IPFS phishing attacks work in a similar way, with cybercriminals creating fake IPFS gateways to steal user data.

Here’s how it works: when users want to access files stored on the IPFS network, they typically use a gateway to retrieve them. These gateways act as intermediaries between the user and the IPFS network, serving as a proxy for the user's requests. Unfortunately, cybercriminals can create fake gateways that look just like the real ones, tricking users into sending their requests to the malicious gateway.

Once a user sends a request to a fake gateway, the attacker can intercept the request and replace the legitimate file with a fake one that contains malicious code. The user is then prompted to enter their login credentials or other sensitive information, which the attacker can steal.

How to be safe from IPFS Phishing Attacks?

To avoid falling victim to IPFS phishing attacks, there are several best practices to follow:

1. Always check the URL of the IPFS gateway before entering any sensitive information. Be wary of URLs that look suspicious or slightly different from the real gateway.

2. Use a trusted IPFS gateway. Check the list of recommended gateways from IPFS or use a gateway recommended by a reputable source.

3. Be cautious when accessing files from unknown sources. Verify the source of the files and check if they are known to be safe.

4. Enable two-factor authentication whenever possible. This adds an extra layer of security to your login process.

5. Keep your software and security tools up-to-date to prevent known vulnerabilities from being exploited.

IPFS phishing attacks are a growing threat that can be mitigated by following best practices for online security. By being vigilant and cautious when accessing files on the IPFS network, users can protect themselves from cybercriminals.


IPFS Network Technology is Being Used in More Phishing Attacks

 

Due to fresh Kaspersky research, fraudulent use of the InterPlanetary File System appears to have surged recently. Since 2022, fraudsters have leveraged IPFS for email phishing attacks. IPFS is a peer-to-peer network protocol that allows for the creation of a decentralized and distributed web. Unlike standard web protocols, which rely on centralized servers, IPFS allows users to share and access files without the need for a centralized authority. IPFS identifies files based on their content, not their location. 

Each file is assigned a unique cryptographic hash called CID; the content identifier can be used to get the file from any network node that has a copy. This makes it simple to distribute and access content even when the original source is unavailable.

IPFS is also a content-addressed system, which means that any modifications to a file generate a new hash. This keeps files immutable and tamper-proof.

IPFS material can be accessed via a specialized application programming interface or gateways, which are accessible via any web browser. The URL used to reach the gateway contains the CID and the gateway name, however, it may differ from one gateway to the next. For instance, it may be:
  • https://gateway/ipfs/CID
  • https://CID.ipfs.gateway
In a typical phishing attack, the target is lured to visit a false phishing page, which steals their passwords and possibly their credit card information; however, this fraudulent page can be hosted on IPFS and accessed through a gateway.

The implementation of such a mechanism allows attackers to minimize the expense of hosting the phishing page while also making it more difficult to remove false information from the internet because it may be present on multiple machines at the same time.

If a user clicks on a phishing link and provides their credentials, it is critical that the user reset their password as soon as possible and investigates whether there has been any fraudulent activity with that account. According to Kaspersky, most IPFS phishing attacks are similar to traditional phishing, however, in certain circumstances, IPFS is utilized for intricate targeted attacks.
 
The eradication of phishing pages from IPFS material is more difficult. Typical phishing pages can be removed by requesting that the web content provider or owner delete them. Depending on the host, that operation can take a long time, especially if it is hosted on bulletproof providers, which are illegal hosting providers who assure their customers they do not respond to law enforcement requests and do not remove information.

IPFS content takedown operations differ in that the content must be removed from all nodes.IPFS gateway providers try to counteract fraudulent pages by deleting links to those files on a regular basis, although this may not always happen as quickly as blocking a phishing website. On March 27, 2023, Kaspersky researcher Roman Dedenok wrote that the company has "observed URL addresses of IPFS files that first appeared in October 2022 and remain operational at the time of this writing."

There were 2,000-15,000 IPFS phishing emails per day as of late 2022. In 2023, IPFS phishing began to grow in Kaspersky's volumetry, with up to 24,000 emails per day in January and February; however, the levels soon returned to the same values as in December 2022. In accordance with monthly statistics, February was a busy month with about 400,000 phishing emails, while November and December were roughly 228,000 and 283,000, respectively.

How to Avoid the IPFS Phishing Threat

Anti-spam systems, such as Microsoft Exchange Online Protection or Barracuda Email Security Gateway, will assist in detecting IPFS phishing and blocking links to it, just as they would in any other phishing situation.

Users should be taught about phishing emails or any other type of phishing link that may be sent to them via various channels such as instant messaging and social networks. To prevent unauthorized access, use multifactor authentication. Even if attackers gained login credentials through phishing, this will make it more difficult for them to get access.

How Threat Actors are Using IPFS for Email Phishing


InterPlanetary File System (IPFS) is a peer-to-peer distributed file system, that allows users around the world to exchange files. Instead of using file paths for addressing like centralized systems do, IPFS uses unique content identifiers (CID). The file itself stays on the user’s computer which had “uploaded” it to IPFS and downloaded directly from the computer. By default, a special software is needed to upload or download a file to IPFS (IPFS client). The so-called gateways are offered so users can browse the files stored in IPFS freely without installing any software. 

In 2022, threat actors conducted malicious activity by using IPFS for email phishing campaigns. They upload HTML files containing phishing forms to IPFS and use gateways as proxies so that users can access the files whether or not an IPFS client is installed on their devices. In addition, the scammers included file access links through a gateway into phishing messages forwarded to targeted victims. 

A distributed file system is used by attackers to reduce the cost of hosting phishing pages. Moreover, IPFS makes it impossible to erase files that have been uploaded by third parties. One can request that a file's owner delete it if they want it to totally disappear from the system, but cybercriminals will almost certainly never comply. 

IPFS gateway providers manage to tackle IPFS phishing attacks by consistently deleting links to fraudulent or suspicious files. 

Still, the detection or deletion of links at the gateway level do not always happen as quickly as blocking phishing emails, cloud files, or document. The URL addresses initially came to light in October 2022. As of right now, the campaign is still ongoing. 

The objective of phishing letters with IPFS links is often to gain the victim's account username and password, the reason why they barely contain very creative content. What is interesting about this tactic is where the HTML page links go. 

The recipient's email address is contained in the URL parameter. The email address given in the login box and the corporate logo at the top of the phishing form will both change, once modified. This way, one link can be utilized in a number of phishing campaigns targeting a variety of users. 

In late 2022, Kaspersky discovered two – 15,000 IPFS phishing letters a day for most of the time. This year, IPFS campaigns have begun to escalate, reaching more than 24,000 letters a day in January and February. February became the busiest month in terms of IPFS phishing activities, where researchers discovered a whooping 400,000 letters, a 100,000 increase from November and December 2022. 

In regards to this, Roman Dedenok, a security expert at Kaspersky commented “Attackers have and will continue to use cutting-edge technologies to reap profits. As of late, we have observes an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at the IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.”