Phishing Campaigns Abusing Web3 Platforms Increased by 482% in 2022
Web3 platforms have surged in popularity over the years and continue to catch headlines with billion-dollar investments as well as significant downturns. According to McKinsey, despite early funding issues, adoption of Web3 applications has occurred at an exponential pace, which has led to many industry professionals questioning how safe and stable these platforms are.
Web3 platforms are designed to make content hosting more available to individuals, evade censorship, guarantee access to the published content and avoid technical problems like server management, making these platforms attractive for threat actors seeking to host malicious content.
Upon analyzing credential phishing campaigns that reached inboxes during the first three quarters of 2022, Cofense discovered a significant rise in the abuse of Web3 platforms for phishing. As a result, phishing campaigns that abuse Web3 platforms have increased by 482 percent in 2022 with credential phishing making up the majority of the abuse.
How Web3 is Leveraged by Threat Actors
Web3 platforms require the creation of a network of many different servers working together to host content. Not every web browser supports direct access to these platforms. In order to make Web3 services more usable, some organizations run servers that produce "gateway URLs," which allow browsers to open Web3 content as if it were being hosted on a traditional server.
Gateway services aid in the adoption of Web3 technologies by making them more accessible. However, these services are utilized by threat actors to send links to phishing pages they host on Web3 platforms. The services can choose to disable a gateway URL that points to malicious or illegal content, but the effort becomes a cat-and-mouse game as threat actors can simply keep re-publishing their content with new gateway URLs.
Why Web3 is an Attractive Target
Web3 platforms have no organized moderators to manage hosted content. While some measures are put in place to limit malicious content, it is impossible to prevent it from being hosted within the platforms or to remove it once it has been hosted. Web3 platforms are readily available to any users with relevant software and content is collaboratively hosted by the platforms’ users.
The most common tactics used by threat actors while exploiting Web3 platforms using malicious URLs can be divided into two stages. Stage 1 includes URLs embedded in the email. Only 21 percent of Web3 URLs are used in stage 1 since they are easier for organizations to identify and block. Stage 2 involves any URLs that are opened after the users have opened the embedded link in the email.
Since content published on Web3 platforms is considered permanent, this removes the need for threat actors to create or steal accounts, compromise websites, or register new domains to host a credential phishing page. Threat actors can continuously publish new phishing pages to stay ahead of countermeasures.
Although Web3 platforms are an attractive host to threat actors, these platforms cannot perform data exfiltration. Instead, threat actors must maintain more traditional compromised or malicious servers as endpoints to receive stolen credentials. They often use HTML forms or embedded JavaScript code, so that the victim’s browser sends captured login credentials to the endpoints under threat actor control.
Web3 2023 Outlook
Forrester stated in its trend report "Web3 Promises A Better Online Future But Contains The Seeds Of A Dystopian Nightmare" that CIOs, CMOs and other executives should approach Web3 with extreme caution, even as investment in Web3 technologies continues to skyrocket.
As Web3 technology gains adoption in the everyday life of users and organizations, the opportunity for abuse will only grow. The decentralized nature of these platforms puts the responsibility of security in the individuals' hands and as Web3 platforms increase in popularity, threat actors will continue to take advantage of this opportunity, making it essential for users to remain educated and vigilant to avoid exploitation via Web3 phishing threats.
Photo credit: wk1003mike / Shutterstock
Brad Haas is Threat Intelligence Analyst, Cofense.