New tech, same threats for Web 3.0

Companies adopting Web 3.0 platforms will find themselves dealing with some familiar threats, according to experts.

A report from Cisco Talos published Thursday outlined social engineering attacks as the main threat facing those who adopt the likes of cryptocurrency, blockchain and decentralized applications for their business needs.

The report noted that due to the logged and distributed nature of blockchain technologies like nonfungible tokens (NFTs) and decentralized apps, the weak point becomes the owner of the token, and the easiest way to take over that weak point is to trick them into handing over credentials.

"When users are adapting to new technology for the first time, one of the biggest risks is the threat of social engineering," researcher Jaeson Schultz explained in the report. "Unfamiliar technology can often lead users into making bad decisions. Web 3.0 is no exception."

Among the big threats highlighted by the Cisco Talos team were techniques like typosquatting or impersonating Ethereum Name Service (ENS) domains. One example would be a criminal purchasing the .eth domain that matches a bank's .com domain, and then using that perceived authority to trick users into handing over sensitive information.

In addition, Schultz said ENS ownership can make one a target, as the domain will link to the user's wallet and NFT holdings, potentially allowing attackers to gain valuable intel on their targets.

Also of great value to scammers are seed phrases, the collection of random words used to create the cryptographic key that gives access to a cryptocurrency wallet. "In fact, most attacks where people have lost valuable NFTs/crypto have occurred because the user was tricked into somehow giving up their seed phrase," Schultz wrote.

Essentially, having the seed phrase key lets attackers access and transfer all of the victim's cryptocurrency holdings to another wallet -- usually one owned by either the criminals themselves or a third-party money mule who will move the currency to its eventual destination.

In another interesting twist, some cybercriminals are even exploiting this trick to turn the tables on other shady users. Cisco Talos has documented cases where an attacker intentionally exposed the seed phrase on a wallet with a small amount of stolen cryptocurrency, then pounced on anyone who tried to extract the funds, pocketing the exchange fees in the process.

"To remove the USDT [cryptocurrency] stored in the attacker's wallet, one must first transfer a small amount of Ethereum into the wallet to cover the gas fees that must be paid. The attackers, however, are vigilant, and constantly monitoring the blockchain for activity involving their wallet address," Schultz explained. "The attackers instantly detect when someone transfers Ethereum into their wallet in an attempt to move the USDT, and before the USDT tokens can be transferred out, the attacker moves the small amount of Ethereum intended to pay for gas into a separate wallet."

One thing all of these techniques have in common is their reliance on low-tech mind games rather than sophisticated exploits or focused attacks on a single system. Cisco Talos researcher Nick Biasini told SearchSecurity that because of the decentralized nature of Web 3.0 platforms, duping the account owners into handing over their keys is likely to be the most effective way for cybercriminals to steal funds.

"I think the social engineering aspect will continue to be a big vector, similar to how it is on the larger threat landscape," Biasini explained. "That doesn't preclude there being more technical attacks in the future. You are already seeing some of that take place with the various attacks that have occurred. As more people look at the technology, more weaknesses will be uncovered, but the scam side of things is here to stay."

As such, Cisco Talos said the best ways for users and businesses to protect themselves will be taking basic precautions when handling unsolicited or suspicious messages and communications; dealing directly with sites rather than clicking links or attachments; and when in doubt, directly contacting providers via email or phone.