Threat groups are increasingly turning to peer-to-peer Interplanetary File System (IPFS) data sites to host their phishing attacks, as the decentralized nature of the sharing system means that malicious content is more effective and easier to conceal.
Threat analysts from cybersecurity vendor Trustwave said this week that the Interplanetary File System (IPFS) is becoming the “new hotbed for phishing” after seeing an increase in the number of phishing emails containing IPFS URLs.
Meanwhile, Atif Mushtaq, founder and chief product officer of anti-phishing firm SlashNext, said The register that his company detects phishing hosted on ipfs.io, cloudflare-ipfs.com and other vendor systems.
“These types of attacks are part of the evolution of hackers using trusted domains to host their phishing attacks,” Mushtaq said. “The advantage of using trusted domains is that they are very difficult to detect with reputation-based threat detection, which is widely used by organizations to protect users.”
Trustwave researchers in a blog post this week wrote that they had seen over 3,000 emails in the past 90 days containing phishing URLs that used IPFS, adding that “it is clear that IPFS is increasingly becoming a popular platform for phishing websites.”
Phishing remains the scourge of businesses and the primary means used by cybercriminals to compromise user systems and open the door to malicious payloads. Cybersecurity firm Proofpoint, in a report released earlier this year, said 83% of more than 4,000 respondents said their businesses had experienced at least one email phishing attack in 2021 and 78% of organizations had been victims of ransomware attacks via email.
The next big thing
Using IPFS is a way for attackers to make their phishing content more persistent, more easily distributed, and harder to detect. According to Trustwave, most data traffic on the Internet uses HTTP, which uses a centralized client-server approach. IPFS – which stands for InterPlanetary File System – is different.
Created in 2015 as a distributed P2P system for sharing files, websites, applications and data, IPFS offers a decentralized approach to the web.
This means that “content is available through peers located around the world, who may transfer information, store it, or do both,” the Trustwave researchers wrote. “IPFS can locate a file using its content address rather than its location. To access content, users need a gateway hostname and the content identifier (CID) of the file. “
Shared files are distributed to other systems which essentially function as nodes in a network file system. These files are accessible when needed and are retrieved from any other node on the network that owns the content. In a centralized network, if a server is down or a link is broken, the data cannot be accessed.
With IPFS, data is persistent, including any malicious content stored on the network. Even if malicious content is deleted in one node, it is likely still available in other nodes. Such content is also difficult to discover even in a legitimate P2P network because there is no Uniform Resource Identifier (URI) to locate and block malicious content, the researchers wrote, adding that “with the data persistence, a robust network, and little regulation, IPFS is perhaps an ideal platform for attackers to host and share malicious content.”
Trustwave showed examples of how cybercriminals abuse blockchain, Google, and cloud storage services to execute their IPFS phishing attacks.
How it works?
The attacks begin like other phishing campaigns, with criminals using social engineering techniques to trick victims into clicking on malicious IPFS links in phishing emails designed to look like legitimate messages from companies like Azure or DHL.
“One of the main reasons IPFS has become a new playground for phishing is that many web hosting, file storage or cloud services now offer IPFS services,” the researchers wrote. “This means there is more flexibility for phishers in creating new types of URLs.”
At the same time, “spammers can easily camouflage their activities by hosting their content in a legitimate web hosting service or by using several URL redirection techniques to help thwart scanners using URL reputation or analytics. automated URLs,” they wrote.
Mushtaq from SlashNext said storing HTML content isn’t a new concept. It’s been around since 2007, when botnets like Mega-d and Srizbi stored their spam sites on botnets, which he described as personalized P2P networks.
“However, the upside at that time was that people weren’t shy about clicking on http-only and IP-hosted sites,” he said. “Now an HTTP site will be immediately flagged by the browser, so [scammers] have no choice but to use trusted gateways like Cloudflare.”
Darryl MacLeod, vCISO at LARES Consulting, said The register that the use of IPFS “represents a significant evolution of phishing” and that organizations should adjust their defenses accordingly. One way is to use the DNS sinkhole to redirect traffic and block access to IPFS-based phishing sites. They can also use web filters to block access to these sites.
MacLeod warned that cybercriminals will continue to evolve their attack methods.
“In the future, phishers may start using more sophisticated methods to replicate sites, such as using distributed hash tables,” he said. “A distributed hash table is a type of data structure often used in peer-to-peer systems because it allows data to be distributed across many different machines.” ®