The World Wide Web (Web) is currently undergoing the transition to Web 3.0, powered by cryptocurrencies, blockchain technology, decentralized applications, and file storage. A central part of this transition is the development of a 3D experience known as the ‘metaverse’, a virtual environment where people can shop, play games, spend time with distant friends, attend a concert or even have a business meeting. This new world presents a host of unique security risks and challenges, Cisco Talos warns.
Metaverse is the next step in both social networks and the Internet, to participate in the new world, your identity is directly linked to the cryptocurrency wallet you use. Cisco Talos, one of the largest private threat intelligence teams in the world, recently investigated potential cyber threats posed by the Metaverse. Given that the cryptocurrency already has over 300 million users worldwide, it is no wonder that cybercriminals have now targeted the Metaverse as well.
Attractive to cybercriminals
“Recent security research, conducted by Cisco Talos, shows that the Metaverse is an attractive environment for cybercriminals. Regardless of whether cybercriminals are now applying old and well-known techniques (such as phishing) or applying other recent methods to the technology that powers Web 3.0 (such as blockchain). The arrival of the Metaverse world is sure to further increase the potential of techniques and methods by which cybercriminals can earn money,” says Jan Heijdra, Cybersecurity Specialist at Cisco Netherlands.
Cisco Talos examines the threats in today’s Web 3.0 landscape and identifies several security issues.
The growing popularity of digital currencies is leading to increased use of Ethereum Name Service (ENS) domains. ENS domains are an easy-to-remember name used to find the associated cryptocurrency wallet address. While anyone can look up the contents of a wallet address in the public ledger, it’s rarely clear who owns that wallet. As a result, there is an increased risk of cybercriminals using ENS domains, tricking unsuspecting users into thinking they are dealing with legitimate organizations.
Cloning of wallets
Adapting to new technology often comes with the threat of social engineering, and Web 3.0 is no exception. The vast majority of security incidents affecting Web 3.0 users are the result of social engineering attacks. Think about cloning wallets.
Therefore, many cyber attacks can be avoided by following the well-known motto; If something is too good to be true, it probably is. Through contests and enticing offers, cybercriminals can trick cryptocurrency users into sharing their data. Users are hereby tricked into entering their seed phrase. The security of a cryptocurrency is based on public and private key cryptography. In the event that a cryptocurrency wallet is lost or destroyed, a user can recover their wallet and all of its contents using a 12-24 word “cap phrase.” This is basically your private key. Anyone who knows the seed phrase can clone a cryptocurrency wallet and use it as their own.
“I’m here to help you”
Another method attackers use to extract the seed phrase from users is by posing as a customer service representative. If a user has a question, they can post it on Twitter or on a Discord server’s “help” channel. The attackers monitor these channels and contact the user. When the user goes to the linked support form, it will of course ask for the 12-word seed phrase.
Whale wallet scam
In the world of cryptocurrencies, there are high-profile accounts with a large number of cryptocurrencies or NFTs known as “whales”. By some estimates, only about 40,000 whales hold about 80% of the total value of NFTs, making them an attractive target for cybercriminals. Scammers know that small investors are watching these so-called whale wallets and luring these investors into investing in their own bogus projects.
Attackers trick users into granting access to wallets
Sometimes it is necessary to authorize a third party to transact tokens in your cryptocurrency wallet. Applications such as cryptocurrency exchanges (eg Uniswap) and NFT markets (OpenSea, etc.) generally ask their users for permission to access/modify the contents of the user’s cryptocurrency wallet. Once third-party access is approved, app users can trade tokens or list NFTs for sale without paying additional fees each time. Attackers have discovered that they can trick a victim into giving others access to the contents of their crypto wallet. The final lesson we learn here is that losing your seed phrase is not the only way criminals can steal the contents of your crypto wallet.
Tips for safely navigating the metaverse
- Good security: The simplest advice is often the best, and choosing strong passwords can go a long way toward ensuring your security. Also use multi-factor authentication (MFA), implement a password manager, segment your networks, log network activity, and examine ENS domains and crypto wallet addresses for cleverly hidden typos. Never click on unsolicited links via social media or email.
- Protect your seed phrase: Cisco Talos advises that users should always protect their seed phrase, which sometimes comes in the form of a QR code, and never give it to anyone. Increasingly, cryptocurrency wallets are being used for identification and personalization of Metaverse content, so if you lose your seed phrase, you lose control of your digital identity and personal belongings.
- Consider using a hardware wallet – the most robust security systems use many different layers of security. Using a hardware wallet adds another level of protection to crypto assets or NFTs, as you have to insert something into the device, enter a PIN, and approve or reject transactions using your wallet address.
- Research your purchases: Considering buying NFTs? Find the address of the smart contract and see if the source code has been published. Unpublished source code is a bad sign! Find information about the developers of the project; anonymous developers can be scammers more easily.
- Web 3.0 will usher in a new era, but with it comes a host of new threats. By following these simple tips from Cisco Talos, users can get the most out of their Web 3.0 experience while remaining risk-aware.