The distributed peer-to-peer (P2P) Interplanetary File System (IPFS) has become a hotbed for phishing sites: thousands of emails containing phishing URLs using IPFS are appearing in corporate inboxes .
According to a report by Trustwave SpiderLabs, the company has found more than 3,000 such emails in its customer telemetry over the past three months. They lead victims to fake Microsoft Outlook login pages and other phishing web pages.
The Astronomical Benefits of IPFS
IPFS uses P2P connections for file and service sharing instead of a static resource URI demarcated by a host and an HTTP path, depending on the Thursday Analysis – which offers big advantages to malicious users.
For once, IPFS is designed to resist censorship by making content available in multiple places, which means that even if a phishing site is taken down in one place, it can quickly be distributed to other places. It is therefore very difficult to stop a phishing campaign once it has started.
“In a centralized network, data cannot be accessed if the server is down or a link is broken. Whereas with IPFS, data is persistent,” the report notes. “Naturally, this extends to malicious content stored on the network.”
P2P also gives these phishers an extra layer (and potentially multiple layers) of obfuscation because the content does not have a static, blockable address, increasing the likelihood of phishing emails escaping scanners and arrive in the victim’s inbox.
“So in addition to the benefits for attackers [related to] “traditional cloud services”, this layer of obfuscation gives attackers additional advantages,” Karl Sigler, senior security research manager at Trustwave SpiderLabs, told Dark Reading.
Moreover, since IPFS is a decentralized system, it means that no central authority can take down a phishing site. This makes it much more difficult for law enforcement and security researchers to take down phishing sites hosted on IPFS.
“This represents a significant evolution in phishing, as it is now much more difficult to remove phishing sites and block access to them,” says Atif Mushtaq, founder and chief product officer at SlashNext, an anti-phishing company. “Organizations need to be aware of this new development and adjust their defenses accordingly.”
He explains that one way to do this is to use the DNS sinkhole to block access to IPFS-based phishing sites. It is a technique where DNS requests for a phishing site are redirected to a fake server.
“This prevents users from accessing the phishing site, as they will only be able to reach the dummy server,” says Mushtaq. “Organizations can also use web filters to block access to IPFS-based phishing sites.”
More sophisticated IPFS tactics are likely to emerge
Mushtaq warns that phishers may begin to use even more sophisticated methods to replicate sites, such as the use of distributed hash tables (DHTs), a type of data structure often used in P2P systems, which allow the distribution of data on many different machines.
Sigler says there will likely be greater adoption of IPFS by malicious actors, making the technique more common and likely easier to spot.
“However, with more attention from these attackers, we’ll likely see more creativity brought to the table and IPFS used in ways we haven’t seen yet,” he adds.
Phishing overwhelms organizations
Phishing attacks are already causing huge security problems for organizations: just this week, Ducktail was discovered targeting marketing and HR professionals via LinkedIn to hijack Facebook accounts. And earlier this month, Microsoft announced that 10,000 organizations were targeted in a phishing attack that spoofed an Office 365 authentication page to steal credentials.
Sigler explains that using IPFS for obfuscation can provide security administrators with a new attack vector they may not have considered before.
“We recommend that you educate yourself and your staff on how IPFS works and take a look at the specific examples in the blog post to learn how IPFS is used in specific ways,” he says. “Given how it is currently used by phishing campaigns, we also recommend monitoring unexpected emails for URLs containing IPFS pointers.”
Mike Parkin, senior technical engineer at Vulcan Cyber, a SaaS provider for enterprise cyber risk remediation, says the first response to phishing is always the same: better user education.
“A phisher, in any of its myriad forms, leans on an unattentive target and falls for its bait,” he explains. “The attackers here are using IPFS to help disguise their origin, but a prepared user should be able to see through the trick and not take the bait.”
He points out that it is difficult to say how threat actors will change their techniques in the future.
“As defensive tools improve, attackers adapt and improve their game. The challenge is to teach users to recognize these attacks and not take the bait,” he explains. . “Moving to IPFS for distribution gives threat actors some advantages, but does not change the fact that many of these attacks rely on the victim not realizing they are being attacked.”