Cyber phishers are using the decentralized IPFS file distribution platform in bogus email attacks since late 2022, and Kaspersky researchers have figured out how the scheme works.As opposed to a centrally located server, the IPFS (InterPlanetary File System) is built around a decentralized system of user-operators. Each one holds a portion of the overall data, thereby creating a resilient system of file storage and sharing.According to the security provider, scammers place HTML files containing a phishing form in IPFS and use gateways as proxies, so that victims can open the file, whether or not they are running an IPFS client on their devices. The scammers also include file access links via a gateway into phishing letters dispatched to would-be victims.One advantage among others is that using a distributed file system allows attackers to cut back on phishing page hosting costs. In addition, it’s impossible to delete files uploaded by third parties from IPFS. If somebody wants a file to disappear from the system completely, they can urge its owners to delete it, but the method will “probably never work with cyber criminals,” Kaspersky said.What is interesting about this technique is where the HTML pages links go, Kaspersky said:Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails. Use a protection solution for endpoints and mail servers with anti-phishing capabilities to decrease the chance of infection through a phishing email. If using Microsoft 365 cloud service, don’t forget to protect it too.
Inside the Scam
IPFS uses addressing performed according to unique content identifiers (CID), and not file paths. The file itself resides on the computer of the user who had “uploaded” it to IPFS and downloaded directly from that computer. By default, uploading or downloading a file to IPFS requires special software. For users to view the files residing in IPFS freely without installing any software, the so-called gateways are provided.IPFS is considered the “cutting edge of Web 3.0." Since late 2022, cybercriminals have been using this “safe, decentralized and reliable way for file distribution,” to target companies worldwide.Kaspersky said its researchers have figured out how attackers are placing phishing HTML files into IPFS. This technique, used for both ongoing mass and targeted phishing campaigns, saw almost 400,000 phishing emails detected in February 2023, Kaspersky said.24,000 Phishing Emails Observed
In late 2022, Kaspersky observed 15,000 IPFS phishing letters-a-day for most of the time. Starting this year, IPFS phishing began to grow in scale, reaching more than 24,000 letters-a-day in January and February.February was the busiest month in terms of IPFS phishing activity. In that month alone, researchers observed almost 400,000 letters, a 100,000 increase than in November and December 2022.“Attackers have and will continue to use cutting-edge technologies to reap profits. As of late, we have observed an increase in the number of IPFS phishing attacks, both mass and targeted,” said Roman Dedenok, a security expert at Kaspersky.
“The URL parameter contains the recipient’s email address. Once modified, the corporate logo on top of the phishing form and email address entered into the login field will change too. This way, one link can be used in several phishing campaigns targeting different users, sometimes even in dozens of campaigns.”
