Cyber security in the metaverse (Part 2): real time identity fraud, domain phishing and digital currencies

In last month’s edition of The Insider, TSC took a deep dive into the metaverse and the various cybersecurity issues every single organisation needs to consider when using the platform. This is cybersecurity in the metaverse: Part 2.

The metaverse is a massive technological leap and with it comes innovative new attack vectors. As a result, new security measures must be put in place to address rapidly evolving cyber threats. With every digital advancement, comes cyber threat actors aiming to capitalise on it! 

Metaverse adoption by the world’s biggest brands and organisations is booming. The virtual world is brimming with commerce and community management opportunities but security professionals and, indeed, users themselves need to understand the risks they face and how to deal with them. To that end, today we will be unwrapping cybersecurity in the metaverse in more detail and nuance with focus on fraud/identity theft, digital currencies, social engineering attacks and data collection via smart devices.  

Real time security to identify fraud 

It is common thinking that over the next five years or so, businesses and brands will be moving a lot of their online portals and interactions to the metaverse. However, with this move comes stress on cybersecurity and fraud. JPMorgan have even released a white paper on identification and privacy safeguards when transacting and interacting in the metaverse. 

If a fraudster is trying to hijack your identity in the real world, they look to create physical cards (ID or Credit Cards) that can help them gain access to your accounts or to secure locations that they can then pillage. If a fraudster is trying to hijack your digital identity, depending on the security of the platform, they can choose from a variety of attack vectors.  

For instance, in the metaverse, hackers are finding back doors and holes in the framework on brand specific metaverse portals and even in headsets that have not been patched or updated regularly. If there is any vulnerability that has not been addressed, a cybercriminal can exploit it and have total access to your digital identity.  

As a result, brands and organisations that have adopted the metaverse are being asked to include real time security protocols as an aspect of their cybersecurity. There have been calls for security teams to look at digital footprints and monitor suspicious behaviour consistently to identify fraud and online actions not befitting of the true account holder. The importance of real time security is compounded by Check Point data revealing a 50% increase in corporate metaverse attacks in between 2020 and 2021.  

This is not to ignore the fact that consumers and users of the metaverse must remain vigilant and protect their personal information and security login details as strongly as they have always done. If you are compromised at source, it will be far easier for a cybercriminal to obtain the information they are looking for. 

The vulnerability of digital currencies 

When dealing with a digital world, we often end up trading and purchasing with digital currencies or payment systems rooted in cryptocurrencies. Whilst crypto enthusiasts will explain the increased security potential of cryptocurrencies and operating on the blockchain, recent cyberattacks on the blockchain have called into question the true security of the new-age decentralised system.  

In fact, between 2020 and 2021, cryptocurrency theft rose by a staggering 516%, totalling a massive $3.2 billion. And with cryptocurrencies and the blockchain being integral to the structure of the metaverse, every user and brand needs to be ready for blockchain-based attacks such as hacked wallets, digital money laundering, phishing scams, and straight hacks.  

Another threat that is already in place is wallet cloning. When a metaverse user wants to access their digital wallet, they will use what we call a seed phrase. This is a secret key, held only by the user, which allows them to access their digital wallet. In recent months, social engineering attacks in which cybercriminals act as customer support to obtain the secret key have increased. During these social engineering attacks, cybercriminals trick wallet holders into a fake verification process to collect all the information they need to break into the wallet, clone it and clear it of all its contents.  

ENS Domain Phishing and hacking scams 

As a quick primer on blockchains, cryptocurrencies and transactions involving digital currencies, take place on the blockchain. This is a decentralised online system that facilitates the selling and purchase of digital items and real estate through an encrypted service. The most widely used blockchain is called the Ethereum Blockchain. When you place yourself on the blockchain you can get an ENS (Ethereum Name Service), which is a domain on the blockchain.  

For example, if The Security Company registered on ENS, we may appear as ‘thesecuritycompany.eth.’ However, these addresses are not subject to trademark law at the moment. This means that when you are contacted by say ‘mcdonalds.eth’ purporting to be the official blockchain domain of McDonalds, you may not actually be speaking to the respective companies who actually possess the trademark. In actuality, the ENS domain could be owned by any third party with illicit intentions – the risks here are noticeably clear. 

The other cybersecurity issue with ENS domains, which every user on the metaverse will create if they conduct business on the Ethereum blockchain, is how easy it is for hackers to find real world information buried in your ENS. Recently, researchers from Cisco Talos ran simple searches on ENS domain holders to see what data is publicly accessible on their profile. Unbeknownst to the ENS users, the researchers could see how much and what was in their cryptocurrency wallet, what NFTs were tied to the account and – scarily – the real-world identities, physical locations, and even social accounts of the blockchain user.  

Users on the NFT marketplace OpenSea fell victim to ENS vulnerabilities recently with hundreds of users swindled out of lucrative NFTs and large digital wallets. Cisco Talos researchers called it “almost trivial” when describing how easy it was to go from one ENS domain to discovering a whole packet of personal data on a user.  

This vulnerability does not fall on the metaverse’s infrastructure of security measures, it falls on the lack of education and understanding of the platform from users. All the information the researchers found could have been hidden, but did the users know how to do that? They did not even know their data was out there for the world to see. New and unfamiliar technology can lead to users making uninformed decisions – the metaverse and digital transactions is no different.  

Are your smart devices too smart for your own good? 

Microsoft co-founder Bill Gates predicts that virtual meetings will move to the metaverse in two to three years. Through a combination of virtual reality headsets and digital avatars, smart devices will allow the user to be present in a digital plane. However, just how much, and what data is the smart device collecting? 

There is a worry that with wearable tech such as headsets, threat actors will be able to collect deeply personal and identifiable data on users, thus making it far easier to break into and cause data breaches regarding identity.  

There is also a worry that organisations such as Mea will be collecting information of a user’s personality and behaviour through smart devices and storing them in data silos. If said silo is compromised by a digital attack, users could have their entire digital identities stolen which could be potentially sold on the dark web.  

Cybercriminals will then be able to truly imitate and impersonate you online as the headset will have registered your head movement, eye movement and, in some cases, even your voice. If this becomes common place, will we lose trust in who we are conversing with in the metaverse? Will you truly know that the person sitting across from you in the virtual world, are who they say they are? What if you are discussing a confidential deal with your boss in the metaverse only to find out later that they are on annual leave for a week? 

How can you stay safe in the metaverse? 

As we mentioned at the top of the piece, the metaverse, digital currencies and smart devices are always developing. As a result, the cleverness of the cyberattacks will also develop and innovate. It is therefore paramount that every user takes the time to familiarise themselves with the attack vectors they may face, and the security measures that can be put in place to keep users safe. 

This means implementing multi-factor authentication (MFA), maintaining a password manager, and taking great care who you share data with. If you would like to read more about security measures in the metaverse, head over to Part 1 of our deep dive into cybersecurity in the metaverse.  

Regardless of the various cybersecurity concerns with the metaverse, the weakest point in any organisation from a cybersecurity standing is always the user. If the user is informed, knowledgeable and up to date with attack vectors, they stand a far better chance at protecting their data and organisational data. It is up to companies to implement training and risk management protocols to support this development and understanding.  

Building cybersecurity awareness, especially in relation to new and emerging threats, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.