Security in the metaverse emerging scams and phishing risk.

The metaverse and web3 may still be evolving, but they are sure to bring lasting changes to the way we work, play, and interact. For companies, we see four major areas of opportunity: staff experience, customer experience, process improvement, and new products and services. Considerable innovation is already taking place in each of them. But, as is often the case, the approach and technology of cybersecurity and anti-fraud have not kept pace with the rapid growth and development of the metaverse.

This emerging space presents new opportunities for criminals to exploit inexperienced and unaccustomed newcomers for monetary gain through targeted cyberattacks such as phishing and social engineering scams. In addition to direct financial losses, there are obvious reputational risks for brands and creators (as well as harm to consumers, although this paper focuses on the business perspective). And depending on their materiality and frequency, the attacks could also lead to unwanted scrutiny or lawsuits from consumers, consumer protection groups, investigative agencies, and regulators.

An unreliable metaverse could also stall progress. In our 2022 Metaverse Survey of more than 1,000 executives and 5,000 consumers, both groups said cybersecurity and privacy were the top concerns holding them back from adopting it. The metaverse could allow existing cybercrime to flare up and create new types of it.

But the metaverse, powered by a blockchain-based web3 infrastructure, could also be the place to find solutions, such as improved cyber protection and protocols, the ability for users to control what data is shared, and a better data verification process.

Understand what you're up against

While there are many types of scams relevant to the metaverse and decentralized web3 world, phishing and social engineering scams are some of the most prevalent. The crimes are the same, but the metaverse is fertile ground for novel and little-known ways of targeting victims and stealing their assets.

Let's look at four common attack vectors used by scammers today.

Scam messaging and social engineering: This takes many forms, including unofficial websites and social media accounts, fraudulent emails, fake tech support, and bot-driven messaging on community management platforms used to facilitate communications between consumers and administrators. environments. Although metaverse environments consist primarily of real-time voice communications, these environments can also include text-based instant messaging and chat functionality. These fraudulent tactics have been effective in tricking victims into clicking malicious links or attachments, interacting with fraudulent web forms or smart contracts, or divulging sensitive information.

The metaverse has also introduced "3D social engineering," in which scammers arrive via a lure that closely resembles a known domain and takes the form of a 3D avatar designed to impersonate coworkers or other contacts. acquaintances. The idea is to get victims to share confidential information and access. Earlier this year, the server for a metaverse environment, with blockchain-backed transactions, was compromised and fraudulent messages were sent to members about an "exclusive giveaway." Hundreds of thousands of digital assets were stolen from the wallets of unsuspecting members who navigated to the imitation website contained in the message and interacted with the attacker's fraudulent smart contract.

Airdrops and malicious giveaways: Legitimate companies use airdrops as a way to reward their investors or early adopters and as a marketing tool to incentivize users to purchase products and services available on their platforms. Many project owners often give their native cryptocurrency tokens or an NFT to their investors allowing them to navigate to their website, connect their digital wallets, sign a smart contract, and claim the airdrop.

In many cases, scammers take advantage of this method to trick unsuspecting individuals into clicking malicious links or signing fraudulent smart contracts that give cybercriminals full access to their victims' digital assets, which disappear moments later. In one case earlier this year, a malicious airdrop phishing scam carried out through compromised social media accounts managed to steal around $1 million worth of digital assets.

Seed phrase phishing: A seed phrase is what gives users access to your private keys over your digital assets. Scammers obtain a user's seed phrase to gain control of the victim's digital wallet and digital assets, which they then use to conduct transactions purportedly in the victim's name. Note that if a user's seed phrase is stored offline, the only way for an attacker to obtain it is if the user gives it to them, or if they steal it from the physical space the phrase is in. seed (for example, on a desktop in the user's home).

Aside from social engineering, another common way scammers carry out this phishing scam is by copying legitimate websites that require and ask victims to create an account and "log in" using their seed phrase. In late 2021, copycat websites of several popular digital wallets were created where scammers managed to steal half a million dollars through a seed phrase phishing campaign. Since a digital wallet is often needed to interact with metaverse environments, this campaign was able to take advantage of first-time users. In addition, some mobile wallet applications may by default save a copy of a user's private keys in a cloud backup,

Ice phishing: This is a novel scheme that tricks people into assigning or delegating approval of their cryptocurrency address to the attacker. This occurs when an attacker changes the address of the victims to that of the attackers by injecting a malicious script into a smart contract and waiting for the victim to authorize a transaction. Once this occurs, the smart contract allows the attacker to carry out transactions on behalf of the victim.

Due to the general complexity of the smart contract coding language, it is difficult for an inexperienced user to realize that a smart contract has been tampered with. This is further complicated by the fact that window interfaces that appear on a user's screen rarely provide a clear, understandable, plain language description of what the transaction allows the smart contract to do once authorized. This increases the likelihood that a person will authorize a transaction that he does not understand.

In one case, scammers created fake websites associated with a metaverse environment (in this case, a 3D Internet site) and, using web ads, paid to have their fraudulent metaverse site appear at the top of search results. . Once on the copycat site, users connected their wallets and signed what they thought was a harmless agreement allowing them access to their metaverse account, but in reality they were signing a contract that changed status and gave scammers access. to their digital wallets.

How to protect the company and customers

Since the web3 and metaverse space is relatively new, there is little to no regulation protecting consumers, and few remedies for victims who have had digital assets stolen; and little is required of companies operating in this space. Still, there are certain proactive measures that can help organizations identify and protect themselves and their customers against these types of scams.

Focus on the controls. Maintaining and applying checks to determine the validity of messages received from third parties (and flag or block malicious ones) is especially critical, as fraudulent messages can also come from legitimate accounts that have been compromised and taken over. The commercial development and deployment of these types of controls is likely to be an area where further innovation continues as adoption and user activity increase and the security posture of metaverse environments evolves. One basic control that can be effective is the use of two-factor or multi-factor authentication. It can be an effective preventative control to protect against email and social media account hijacking risks.

Apply content moderation. To mitigate the risk of fraud associated with a metaverse project, companies can implement an impartial moderation or content governance feature in their community management platforms and any text messaging features within the environment, if any. This may carry out due diligence on project contributors, including removing or banning abusive users who don't follow community rules, identifying and removing malicious or misleading messages, and performing regular IP scans and network, among other functions.

Promote correct hygiene of purses.This means using multiple wallets, each with a specific purpose. At the consumer level, it is common practice for a user to have a "mint wallet" (hot wallet), a vend wallet (warm wallet), and a vault wallet (hardware wallet/cold wallet). The minting wallet is the most interactive with the blockchain, but should only contain low-value items and enough cryptocurrency to mint an asset (for example, an NFT representing an avatar, character, or wearable item ) in order to limit the risk of financial loss. Selling wallets are typically used to interact with exchanges and marketplaces, while a vault wallet holds a user's high-value digital assets. At the enterprise level, there are several custodial platforms that you can use to customize the wallet experience (for managing corporate digital assets) and align it with your business goals. For example, a corporate wallet can be configured as a multi-sig or multi-party computational (MPC) wallet, requiring the authorization and signature of multiple designated wallet addresses (users) before executing a transaction on the blockchain. Similarly, companies creating or sponsoring metaverse spaces may wish to educate consumers on the benefits of holding multiple wallets to help reduce risk and potentially help make it easier to set up such a multi-wallet structure to promote wallet hygiene. portfolio between users.

Stay up to date and be transparent. Lastly, it's hard to prevent an attack you don't see coming. Stay up to date on new scams and provide regular education and communication to stakeholders, particularly employees and customers, about asset protection and threat recognition and response. This includes verifying a link before clicking on it, verifying the sender of a link, doing independent research on the metaverse and web3 projects and platforms, being aware of the types of smart contacts you are signing, and not engaging with direct messages. incoming, but rather navigate to the "official links" page of a project before participating.

Conclusion: As vulnerabilities exist in the web3 spaces, Cypershield is one of the kinds of Security and Smart Contract audit company rendering exceptionally professional smart contract auditing services for varied Crypto projects. In the process of rendering your projects, full-on auditing services help you come over your smart contract vulnerabilities and reach a higher scale in the market.