According to a Cisco study, the global transition to Web3, which is powered by blockchain technology, presents security experts with a new set of unique challenges as well as recycled threats.
Bad actors on the internet are particularly focused on the Metaverse, as well as its underlying technology, the California-based networking equipment maker said.
“The metaverse landscape looks ripe for cybercriminals,” Fady Younes, director of cybersecurity at Cisco Middle East and Africa, said in the report.
“Whether they’re translating old threats into the new metaverse space, relying on time-tested social engineering and phishing techniques, or starting to design new technical attacks to make money in new ways, the cybercriminal game is growing.”
Web3 is the emerging new concept of the World Wide Web, with blockchain, decentralization, openness and greater user convenience among its core components.
Its market size is expected to be valued at around $6.2 billion in 2023 and is expected to grow at a compound annual rate of 44.6% from 2023 to 2030, according to Market Research Future.
Web2, the current iteration that emerged in the mid-2000s, has led to the rise of more interactive web pages, with millions of people around the world able to view user-generated content in an instant.
It has further exploded with the advent of powerful mobile devices, social networks and other media platforms.
Its mid-1990s predecessor, Web1, used static pages with limited interaction and functionality. Although content creation was in its infancy at the time, it boosted online banking and commerce.
According to the Cisco study, verticals and attack methods related to cryptocurrency are exploited, including Ethereum Name Service (ENS) domains, social engineering, and so-called whales.
ENS is a service that simplifies blockchain-based crypto addresses, similar to sites such as bit.ly shorten URLs.
Since these domains are easy to remember names, this has led to trademarks being trademarked and resold by third parties.
“As a result, nothing prevents the owner of an ENS domain from using that name to trick unsuspecting users into thinking they are dealing with a legitimate organization,” Cisco said.
Social engineering attacks – or “human hacking”, a manipulation technique that exploits human error to obtain private information – account for the vast majority of security incidents among Web3 users.
One of the most dangerous cases of fraud committed through this technique involves tricking users into sharing their “seed phrase”, a 12-24 character code that is essentially a user’s private key that can be used to recover a crypto wallet if it is lost or destroyed.
Hackers can use a seed phrase to clone a wallet and use it as their own.
The threat of social engineering has also spawned another challenge: people posing as customer support agents responding to user queries on social media platforms such as Twitter or Discord.
Bad actors monitor these channels and will contact users to offer “help” – but with the ultimate goal of coercing them into sharing their seed phrases.
Meanwhile, whales are high profile crypto accounts that hold a large amount of digital assets. Cybercriminals monitor these accounts – an estimated 40,000 whales own 80% of all non-fungible token value – then attempt to strike with a social engineering attack that convinces users to invest in their bogus projects.
Updated: April 16, 2022, 4:30 a.m.