Metaverse security: Emerging scams and phishing risks

A metaverse that can’t be trusted could also stall progress. In our 2022 Metaverse Survey of more than 1,000 executives and 5,000 consumers, both groups said that cybersecurity and privacy were the top concerns holding them back from adoption. The metaverse could allow existing cybercrime to flare up and create new kinds of cybercrime.

But the metaverse, powered by a blockchain-enabled web3 infrastructure, could also be where we can find solutions, including enhanced cyber protection and protocols, the ability for users to control what data is shared and better user verification. 

Understand what you’re up against

While there are many types of scams relevant to the metaverse and decentralized web3 world, phishing and social engineering scams are some of the most prevalent. The crimes are the same, but the metaverse is fertile ground for novel and little understood ways of targeting victims and stealing their assets.

Let’s look at four common attack vectors currently used by fraudsters.

Fraudulent messaging and social engineering: This takes many forms, including copycat/imposter websites and social media accounts, fraudulent emails, fake tech support and bot-controlled messaging on community management platforms used to facilitate communications among consumers and environment administrators. While metaverse environments primarily consist of real-time speech communications, these environments can also include text-based chat and instant message functionalities. These fraudulent tactics have been effective in deceiving victims into clicking on malicious links or attachments, interacting with web forms or rogue smart contracts, or divulging sensitive information. 

The metaverse has also introduced “3D social engineering,” in which scammers reach out via a lure that closely resembles a familiar domain and take the form of a 3D avatar designed to impersonate co-workers or other recognizable contacts. The idea is to get victims to share sensitive information and access. Earlier this year, the server of a metaverse environment, with blockchain-supported transactions, was compromised and fraudulent messaging was sent to members about an “exclusive giveaway.” Hundreds of thousands worth of digital assets were drained from the wallets of unsuspecting members who navigated to the copycat website contained within the message and interacted with the attacker’s rogue smart contract.

Malicious airdrops and giveaways: Legitimate businesses use airdrops as a way to reward their investors/early adopters and as a marketing tool to incentivize users to buy products and services available on their platforms. Many project owners often give their native cryptocurrency tokens or an NFT to their investors by allowing them to navigate to their website, connect their digital wallets, sign a smart contract and claim the airdrop. 

In many instances, fraudsters take advantage of this approach to trick unwary individuals into clicking malicious links or signing rogue smart contracts that give the cybercriminals full access to their victims’ digital assets, which disappear moments later. In one case earlier this year, a malicious airdrop phishing scam carried out via compromised social media accounts successfully stole around $1 million worth of digital assets.

Seed phrase phishing: A seed phrase is what gives users access to their private keys over their digital assets. Scammers obtain a user’s seed phrase to take control of the victim’s digital wallet and digital assets, which they then use to make transactions ostensibly on the victim’s behalf. Note, if a user’s seed phrase is stored offline, the only way for an attacker to obtain it is if the user gives it to them, or if it’s stolen from the physical space in which the seed phrase is located (e.g., on a desk in the user’s home). 

Aside from social engineering, another common way scammers perform this phishing scam is by copying legitimate websites that require and prompt victims to create an account and “sign-in” using their seed phrase. In late 2021, copycat websites for a number of popular digital wallets were created in which scammers were able to successfully steal half a million dollars through a seed phrase phishing campaign. As a digital wallet is often needed in order to interact with metaverse environments, this campaign was able to take advantage of first-time users. Additionally, some mobile wallet apps may save a copy of a user’s private keys to a cloud backup by default, further increasing the attack surface area for malicious actors to attempt to exploit. 

Ice phishing: This is a novel scheme that tricks individuals into assigning or delegating approval of their cryptocurrency address to the attacker. This occurs when an attacker changes the victims’ address to that of the attackers by injecting a malicious script into a smart contract front end and waiting for the victim to authorize a transaction. Once that happens, the smart contract allows the attacker to make transactions in the victim’s name.  

Due to the general complexity of smart contract coding language, it’s difficult for an inexperienced user to realize that a smart contract has been tampered with. This is further complicated by the fact that the window interfaces that appear on a user’s screen rarely provide a clear, understandable, plain English description of what the transaction is permitting the smart contract to do once authorized. This increases the likelihood that an individual will authorize a transaction they don’t understand.  

In one instance, scammers created fake websites associated with a metaverse environment (in this case, a 3D internet site) and, using web ads, paid for their copycat metaverse site to appear at the top of search results. Once on the copycat site, people connected their wallets and signed what they thought was a harmless agreement allowing them to access their metaverse account.In reality, they were signing a state-changing contract that gave scammers access to their digital wallets.

How to help safeguard your business and your customers

Since the web3 and metaverse space is relatively new, there’s little to no regulation protecting consumers, and there’s little recourse for victims who have had digital assets stolen; and there is little required from companies operating in the space. Still, there are certain proactive steps that can help organizations identify and safeguard themselves and their customers against these types of scams.

• Focus on controls. Maintaining and implementing controls to determine the validity of messages received from a third party (and to flag or block malicious ones) is especially critical as fraudulent messages can also come from legitimate accounts that have been compromised and taken over. The commercial development and deployment of such controls is likely to be an area of further innovation as user adoption and activity increase and the security posture of metaverse environments evolves. One foundational control that can be effective is utilizing two-factor or multi-factor authentication. This can be an effective preventative control to protect against account takeover risks for social media and email accounts.
  
• Implement content moderation. To mitigate the associated fraud risk within a metaverse project, businesses can implement an impartial content moderation or governance function within their community management platforms, and within any in-environment text chat/messaging functions, if any. This can perform due diligence on project contributors, including removing or banning abusive users that don’t follow community rules, identifying and removing malicious or misleading posts, and performing regular IP and network scans, among other functions.
  
• Promote proper wallet hygiene. This means using multiple wallets that each have their designated purposes. At the consumer level, it is common practice for a user to have a mint wallet (hot wallet), selling wallet (warm wallet), and vault wallet (hardware wallet/cold wallet). A mint wallet will interact with the blockchain the most, but should only contain low value items and enough cryptocurrency necessary to mint an asset (e.g., an NFT representing an avatar, character or wearable object) in order to limit the risk of financial loss. Selling wallets are typically used to interact with exchanges and marketplaces, while a vault wallet contains a user’s high value digital assets. Hardware wallets are among the safest ways to store digital assets as the digital wallet is not connected to the internet and the private key is not stored on chain.
  
  At the company level, there are various custodial platforms that you can use to customize the wallet experience (for managing corporate digital assets) to align with your business objectives. For example, a corporate wallet can be set up as a multi-sig or multi-party computational (MPC) wallet, requiring the authorization and signature of multiple designated wallet addresses (users) prior to executing a transaction on the blockchain. Similarly, companies creating or sponsoring metaverse spaces may wish to educate consumers on the benefits of maintaining multiple wallets to help reduce risk and potentially help facilitate the setup of such a multi-wallet structure to promote wallet hygiene among users.
• Stay current and be transparent. And finally, it’s hard to prevent an attack you don’t see coming. Keep up to date on emerging scams and provide regular education and communication to your stakeholders; in particular to your employees and customers on safeguarding assets and recognizing and responding to threats. This includes verifying a  link before clicking on it, verifying the sender of a link, doing independent research on metaverse and web3 projects and platforms, being mindful of the types of smart contacts you’re signing, and not interacting with inbound direct messages, but rather navigating to a project’s “official links” page before engaging.