Metaverse firms join forces as phishing tactics evolve alongside Web3

The Trust Project is a worldwide group of news organizations working to establish transparency standards.

Earlier this year, Check Point’s latest cybersecurity report found that “In 2021, researchers have seen 50% more attacks per week on corporate networks compared to 2020.” As Q2 2022 draws to a close later this June, that pace only keeps accelerating–email campaigns stealing wallet keys, Metaverse real estate investors waking up one morning to find all their virtual land’s been stolen. Even celebrities have fallen victim to such trickery–a Bored Ape adeptly snatched from Seth Green actually put his forthcoming TV show on hold. 

What underlying machinations do these cautionary tales all share? Though the circumstances feel futuristic, the underlying means are as old as the internet itself. Each case study amounts to phishing, fooling users into sharing their high value login credentials with fake links and login pages. A classic hacker’s tactic since Web2 swept the world, phishing rears its head again as perhaps the Metaverse’s greatest threat.

In many cases, phishing looks the same as ever. CNBC interviewed Metaverse landholders who lost their property the old-fashioned way–by clicking on a link that was actually a lie. One nurse from Maine named Kasha, for example, invested $16,000 in Sandbox and SuperWorld with plans to develop “an educational game on human anatomy and physiology.” 

It’s worth noting here that Check Point’s report said, “In 2021, education/research was the sector that experienced the highest volume of attacks, with an average of 1,605 attacks per organization every week,” a 75% increase compared with the previous year.

from Check Point’s report

As CNBC reported, “About three months after buying the land, Kasha said she typed in the name of the virtual platform Decentraland on a Google search bar — the first link that popped up was a phishing link. After she clicked on the link, it wiped out her MetaMask wallet.” Boulder-based online fitness instructor Tracy Carlinsky lost her coveted Sandbox property adjacent to Snoop Dogg’s mansion when “she mistakenly clicked on a phishing link and lost all her land, only days after using the faulty link,” which looked identical to Sandbox’s login page.

Both victims were left without options. The permanent and user-managed characteristics that make blockchain transactions so revolutionary are also their greatest liabilities, rendering recovery impossible for victims alongside platform leaders–who can only watch helplessly and hope their users retain enough trust and hope in the future to keep using their services.

All the old rules apply as Web3 investors protect their assets. Check the link prefix, look for typos in site copy, use multifactor authentication wherever possible. Those adages alone aren’t enough though, the other side has adapted. CNBC said an off-color cottage industry has arisen for phishing on the dark web where “some cybercriminals advertise these impostor sites for just $400, while others sell for as much as $5,000 on a Russian-language underground forum.”

That’s not even the worst of it. In a blog post this March, Microsoft’s EVP of Security Charlie Bell spoke to phishing’s new faces in Web3. “Play this forward, and picture what phishing could look like in the metaverse,” he said. “It won’t be a fake email from your bank. It could be an avatar of a teller in a virtual bank lobby asking for your information. It could be an impersonation of your CEO inviting you to a meeting in a malicious virtual conference room.”

“Which brings us to the importance of these early days for the metaverse,” Bell continued. “We have one chance at the start of this era to establish specific, core security principles that foster trust and peace of mind for metaverse experiences. If we miss this opportunity, we’ll needlessly deter the adoption of technologies with great potential for improving accessibility, collaboration and business.” 

Key Metaverse players are rising to the occasion. In a statement for CNBC, OpenSea said they’ve “disabled the ability to buy or sell NFTs that are reported stolen and [have] even banned accounts involved in theft.” Sandbox started contracting security services to root out phishing links in their Metaverse. MetaMask has partnered with Asset Reality to help scam victims.

In March 2022, Second Life founder Phillip Rosedale told CNBC the “Metaverse should be legislated the way the real world is.” However, IRL ideals are the very wellspring of theft in the first place. ‘Cash rules everything around me,’ on or offline. Inspired by the tantalizing valuations of Sandbox and Decentraland themselves, “tech companies continue to rush buggy software code out of the door,” as ZDNet said in April. “ As a result, privacy leaks are so common that most consumers are so jaded they simply shrug their shoulders and keep doing business with whichever company was breached this time around.”

Another future is both possible and necessary if Metaverse tech wants to reach the widespread adoption that its idealism–and valuations–demand. Like Bell himself wrote, “security is a team sport.”

Read related posts:


Any data, text, or other content on this page is provided as general market information and not as investment advice. Past performance is not necessarily an indicator of future results.

Vittoria Benzine

Vittoria Benzine is a Brooklyn-based art writer and personal essayist covering contemporary art with a focus on human contexts, counterculture, and chaos magic. She contributes to Maxim, Hyperallergic, Brooklyn Magazine, and more.

Follow Author

More Articles
© Metaverse Post 2022