The World Wide Web (Web) is currently undergoing the transition to “Web 3.0”, powered by cryptocurrencies, blockchain technology, decentralized applications, and file storage. Central to this transition is the development of a 3D experience known as the ‘Metaverse’, a virtual environment where people can shop, play games, spend time with distant friends, attend a concert or even have a business meeting. This new world presents a host of unique challenges and security risks.
Metaverse is the next step in both social networks and the Internet, to participate in the new world, your identity is directly linked to the cryptocurrency wallet you use. Cisco Talos, one of the world’s largest private threat intelligence teams, recently investigated potential cyber threats posed by the Metaverse. Given that the cryptocurrency already has over 300 million users worldwide, it is no wonder that cybercriminals have now targeted the Metaverse as well.
“Recent security research by Cisco Talos has shown that the Metaverse is an attractive environment for cybercriminals. Whether cybercriminals apply old, well-known techniques (such as phishing) or other recent methods to the technology that powers Web 3.0 (such as blockchain). The arrival of the Metaverse world is sure to further increase the potential of techniques and methods by which cybercriminals can earn money,” says Jan Heijdra, Cybersecurity Specialist at Cisco Netherlands.
Cisco Talos has examined the threats in today’s Web 3.0 landscape and identified several security issues.
The growing popularity of digital currencies has led to increased use of Ethereum Name Service (ENS) domains. ENS domains are an easy-to-remember name used to find the associated cryptocurrency wallet address. While anyone can look up the contents of a wallet address in the public ledger, it’s rarely clear who owns that wallet. As a result, there is an increased risk of cybercriminals using ENS domains, tricking unsuspecting users into thinking they are dealing with legitimate organizations.
Cloning of wallets
Adapting to new technology often comes with the threat of social engineering, and Web 3.0 is no exception. The vast majority of security incidents affecting Web 3.0 users are the result of social engineering attacks, such as wallet cloning.
Therefore, many cyber attacks can be avoided by following the well-known motto; If something is too good to be true, it probably is. Through contests and enticing offers, cybercriminals can trick cryptocurrency users into sharing their data. Hereby, users are tricked into entering their seed phrase. The security of a cryptocurrency is based on public and private key cryptography. In the event that a cryptocurrency wallet is lost or destroyed, a user can recover their wallet and all of its contents using a 12-24 word seed phrase. This is in fact your private key. Anyone with knowledge of the seed phrase can clone a cryptocurrency wallet and use it as their own.
“I’m here to help you.”
Another method attackers use to extract the seed phrase from users is by posing as a customer service representative. If a user has a question, they can post it on Twitter or on a Discord server’s “help” channel. The attackers monitor these channels and contact the user. When the user goes to the linked support form, of course, it will ask for the 12-word opening sentence.
Whale wallet scam
In the world of cryptocurrencies, there are high-profile accounts with a large number of cryptocurrencies or NFTs known as “whales”. By some estimates, only about 40,000 whales hold about 80% of the total value of NFTs, making them an attractive target for cybercriminals. Scammers know that small investors are watching these so-called whale wallets and luring these investors into investing in their own bogus projects.
Attackers trick users into granting access to wallets
Sometimes it is necessary to authorize a third party to transact tokens in your cryptocurrency wallet. Applications such as cryptocurrency exchanges (eg Uniswap) and NFT markets (OpenSea, etc.) generally ask their users for permission to access/modify the contents of the user’s cryptocurrency wallet. Once third-party access is approved, app users can trade tokens or list NFTs for sale without paying additional fees each time. Attackers have discovered that they can trick a victim into giving others access to the contents of their crypto wallet. The final lesson we learn here is that losing your seed phrase is not the only way criminals can steal the contents of your crypto wallet.
Tips for safely navigating the metaverse
- Good security: The simplest advice is often the best, and choosing strong passwords can go a long way in helping users ensure their security. Plus, use multi-factor authentication (MFA), use a password manager, segment your networks, log network activity, and examine ENS domains and crypto wallet addresses for cleverly hidden typos. Never click on unsolicited links via social media or email.
- Protect your opening sentence: Cisco Talos warns that users should always protect their seed phrase, which sometimes comes in the form of a QR code, and never give it to anyone. Increasingly, cryptocurrency wallets are being used for identification and personalization of Metaverse content, so if you lose your seed phrase, you lose control of your digital identity and personal belongings.
- Consider using a hardware wallet: The most robust security systems use many different layers of security. Using a hardware wallet adds another level of protection to crypto assets or NFTs, as you have to insert something into the device, enter a PIN, and approve or reject transactions using your wallet address.
- research your purchases: Considering buying NFTs? Find the address of the smart contract and see if the source code has been published. Unpublished source code is a bad sign! Find information about the developers of the project; anonymous developers can be scammers more easily.
Web 3.0 will usher in a new era, but with it comes a host of new threats. By following these simple tips from Cisco Talos, users can get the most out of their Web 3.0 experience while remaining aware of the risks.
Cisco (NASDAQ: CSCO) is the world leader in technology that powers the Internet. Cisco is unlocking new possibilities by reinventing your applications, securing your data, transforming your infrastructure, and empowering your teams to create a global and inclusive future. Learn more at The Network and follow us on Twitter.
This article is a sent message and is not the responsibility of the editors.