The metaverse and web3 may still be evolving, but there’s little question that they will make lasting changes in how we work, play and interact. For business, we see four big opportunity areas: employee experience, customer experience, process improvement and new products and services. There’s considerable innovation already happening in each one. But, as is often the case, cybersecurity and anti-fraud approaches and technology haven’t kept pace with the metaverse’s rapid growth and development.
This emerging space presents new openings for bad actors to exploit inexperienced and unaccustomed newcomers for monetary gain through targeted cyber attacks such as phishing and social engineering scams. In addition to direct financial losses, there are obvious reputational risks to brands and creators (in addition to harm to consumers, though this document focuses on the business and enterprise perspective). And depending on their materiality and frequency, attacks could also bring unwanted scrutiny or lawsuits from consumers, consumer protection groups, investigative agencies and regulators.
A metaverse that can’t be trusted could also stall progress. In our 2022 Metaverse Survey of more than 1,000 executives and 5,000 consumers, both groups said that cybersecurity and privacy were the top concerns holding them back from adoption. The metaverse could allow existing cybercrime to flare up and create new kinds of cybercrime.
But the metaverse, powered by a blockchain-enabled web3 infrastructure, could also be where we can find solutions, including enhanced cyber protection and protocols, the ability for users to control what data is shared and better user verification.
While there are many types of scams relevant to the metaverse and decentralized web3 world, phishing and social engineering scams are some of the most prevalent. The crimes are the same, but the metaverse is fertile ground for novel and little understood ways of targeting victims and stealing their assets.
Let’s look at four common attack vectors currently used by fraudsters.
Fraudulent messaging and social engineering: This takes many forms, including copycat/imposter websites and social media accounts, fraudulent emails, fake tech support and bot-controlled messaging on community management platforms used to facilitate communications among consumers and environment administrators. While metaverse environments primarily consist of real-time speech communications, these environments can also include text-based chat and instant message functionalities. These fraudulent tactics have been effective in deceiving victims into clicking on malicious links or attachments, interacting with web forms or rogue smart contracts, or divulging sensitive information.
The metaverse has also introduced “3D social engineering,” in which scammers reach out via a lure that closely resembles a familiar domain and take the form of a 3D avatar designed to impersonate co-workers or other recognizable contacts. The idea is to get victims to share sensitive information and access. Earlier this year, the server of a metaverse environment, with blockchain-supported transactions, was compromised and fraudulent messaging was sent to members about an “exclusive giveaway.” Hundreds of thousands worth of digital assets were drained from the wallets of unsuspecting members who navigated to the copycat website contained within the message and interacted with the attacker’s rogue smart contract.
Malicious airdrops and giveaways: Legitimate businesses use airdrops as a way to reward their investors/early adopters and as a marketing tool to incentivize users to buy products and services available on their platforms. Many project owners often give their native cryptocurrency tokens or an NFT to their investors by allowing them to navigate to their website, connect their digital wallets, sign a smart contract and claim the airdrop.
In many instances, fraudsters take advantage of this approach to trick unwary individuals into clicking malicious links or signing rogue smart contracts that give the cybercriminals full access to their victims’ digital assets, which disappear moments later. In one case earlier this year, a malicious airdrop phishing scam carried out via compromised social media accounts successfully stole around $1 million worth of digital assets.
Seed phrase phishing: A seed phrase is what gives users access to their private keys over their digital assets. Scammers obtain a user’s seed phrase to take control of the victim’s digital wallet and digital assets, which they then use to make transactions ostensibly on the victim’s behalf. Note, if a user’s seed phrase is stored offline, the only way for an attacker to obtain it is if the user gives it to them, or if it’s stolen from the physical space in which the seed phrase is located (e.g., on a desk in the user’s home).
Aside from social engineering, another common way scammers perform this phishing scam is by copying legitimate websites that require and prompt victims to create an account and “sign-in” using their seed phrase. In late 2021, copycat websites for a number of popular digital wallets were created in which scammers were able to successfully steal half a million dollars through a seed phrase phishing campaign. As a digital wallet is often needed in order to interact with metaverse environments, this campaign was able to take advantage of first-time users. Additionally, some mobile wallet apps may save a copy of a user’s private keys to a cloud backup by default, further increasing the attack surface area for malicious actors to attempt to exploit.
Ice phishing: This is a novel scheme that tricks individuals into assigning or delegating approval of their cryptocurrency address to the attacker. This occurs when an attacker changes the victims’ address to that of the attackers by injecting a malicious script into a smart contract front end and waiting for the victim to authorize a transaction. Once that happens, the smart contract allows the attacker to make transactions in the victim’s name.
Due to the general complexity of smart contract coding language, it’s difficult for an inexperienced user to realize that a smart contract has been tampered with. This is further complicated by the fact that the window interfaces that appear on a user’s screen rarely provide a clear, understandable, plain English description of what the transaction is permitting the smart contract to do once authorized. This increases the likelihood that an individual will authorize a transaction they don’t understand.
In one instance, scammers created fake websites associated with a metaverse environment (in this case, a 3D internet site) and, using web ads, paid for their copycat metaverse site to appear at the top of search results. Once on the copycat site, people connected their wallets and signed what they thought was a harmless agreement allowing them to access their metaverse account.In reality, they were signing a state-changing contract that gave scammers access to their digital wallets.
Since the web3 and metaverse space is relatively new, there’s little to no regulation protecting consumers, and there’s little recourse for victims who have had digital assets stolen; and there is little required from companies operating in the space. Still, there are certain proactive steps that can help organizations identify and safeguard themselves and their customers against these types of scams.
Bring together technology, data and expertise to create products, solutions and outcomes for clients.
Digital assets like crypto, NFTs and metaverse are game-changers. Now is the time to understand the space and find your opportunities.