The decentralized file system solution known as IPFS is becoming the new “home” for hosting phishing sites, researchers have warned.
Cybersecurity firm Trustwave SpiderLabs, which disclosed details of the attack campaigns, said it identified as many as 3,000 emails containing IPFS phishing URLs as an attack vector in the past three months.
IPFS, short for InterPlanetary File System, is a peer-to-peer (P2P) network for storing and sharing files and data using cryptographic hashes, instead of URLs or filenames, as is seen in a traditional client-server approach. Each hash forms the basis of a unique content identifier (CID).
The idea is to create a resilient distributed file system that allows data to be stored on multiple computers. This would allow information to be accessed without having to rely on third parties such as cloud storage providers, effectively making it censorship-resistant.
“Deleting phishing content stored on IPFS can be difficult because even if it is deleted in one node, it may still be available on other nodes,” said Trustwave researchers Karla Agregado and Katrina Udquin. said in a report.
The lack of a static Uniform Resource Identifier (URI) that can be used to locate and block a single piece of malware-laden content further complicates matters. It also means that phishing sites hosted on IPFS could be much more difficult to remove.
The attacks seen by Trust typically involve some type of social engineering to lower the guard of targets to trick them into clicking on fraudulent IPFS links and activating infection chains.
These domains prompt potential victims to enter their credentials to view a document, track a package on DHL, or renew their Azure subscription, only to siphon email addresses and passwords to a remote server.
“With data persistence, a robust network, and little regulation, IPFS may be an ideal platform for attackers to host and share malicious content,” the researcher said.
The findings come amid a larger shift in the email threat landscape, with Microsoft’s plans to block macros forcing threat actors to adapt their tactics to distribute executables that can lead to reconnaissance later, data theft and ransomware.
Seen in this light, the use of IPFS marks another evolution of phishing, giving attackers another lucrative playground to experiment with.
“Phishing techniques have taken a leap forward using the concept of decentralized cloud services using IPFS,” the researchers concluded.
“Spammers can easily camouflage their activities by hosting their content in legitimate web hosting services or by using several URL redirection techniques to help thwart scanners using URL reputation or automated URL analysis .”
Additionally, these changes have also been accompanied by the use of off-the-shelf phishing kits – a trend called phishing-as-a-service (PhaaS) – which offer hackers a quick and easy way to mount attacks. by email. and SMS.
Indeed, IronNet researchers have exposed a large-scale campaign using a four-month-old PhaaS platform dubbed Robin Banks to plunder credentials and steal financial information from customers of well-known banks in Australia, Canada, UK and USA. WE
“Although the primary motivation for scammers using this kit appears to be financial, the kit also asks victims for their Google and Microsoft credentials after traveling to the phishing homepage, indicating that it could also be used by more advanced threat actors seeking to gain initial access to corporate networks for ransomware or other post-intrusion activity,” the researchers said.