Social engineering attacks to dominate Web3, the metaverse

Researchers offer their thoughts on the most prevalent threats faced by emerging technologies.
Written by Charlie Osborne, Contributing Writer

Researchers predict that a surge in social engineering attacks will dominate web3 and the metaverse. 

Web3 is the term coined for what could become the next face of the internet. The web has shifted from pages containing content to the growth of social media, and now, the concept of a decentralized internet is being discussed under the Web3 banner. 

Part of this transformation could include the 'metaverse' -- a 3D environment and virtual world for facilitating social connections, whether personal or for work. Your ID in the metaverse may also end up linked to cryptocurrency wallets, Non Fungible Tokens (NFTs), and various smart contracts. 

As technology vendors work on these concepts, cybersecurity researchers from Cisco Talos have offered their perspective on the potential threats Web3, and the metaverse will face. 

The recent phishing wave experienced by OpenSea users, in which victims were duped into signing off on malicious contract transactions and handing over their NFTs, may highlight the forms of attack we may see more commonly in the future. 

The first issue discussed by the team is the use of the Ethereum Name Service (ENS) and potentially upcoming similar services that are used to compact wallet addresses into a format that can be remembered easily. 

As some of us speculate on the potential future value of ENS domains and register them -- such as 'businessname.eth' -- these addresses could be used as leverage in phishing attacks, especially as ENS domains are recorded on the blockchain and cannot be removed through trademark disputes easily. 

"It may come as no surprise that ENS domains such as cisco.eth, wellsfargo.eth, foxnews.eth and so on are not actually owned by the respective companies who possess these trademarks, but rather they are owned by third parties who registered these names early on with unknown intentions," Talos says. "The risk here is obvious."

In addition, those that register an ENS domain may use their names, deanonymizing an address and signaling to others what funds an individual has in their cryptocurrency wallet, potentially increasing their risk of being selectively targeted by a threat actor. 

A brief search by Cisco Talos on .ENS domain holders who publicized their address revealed a number of 'whales' holding vast amounts of cryptocurrency and some rather lucrative NFTs.

A number of holders also reveal their home towns, full names, and social media profiles -- giving attackers a broader picture of individuals to target in social engineering attacks. 

"For many, identifying their real-world identities and physical locations starting from the ENS domain and Twitter account was almost trivial," the researchers say. 

As Web3 will be a new concept that users will need time to learn about, a general lack of education may also make individuals more susceptible to scams and fraud. 

"Unfamiliar technology can often lead users into making bad decisions," Cisco Talos says. "Web3 is no exception. The vast majority of security incidents affecting Web3 users stem from social engineering attacks."

In addition, wallet cloning -- already a threat in practice -- may become a more popular attack method in the future. This requires victims to give up their seed phrase, the secret key used to retrieve lost wallets and may be requested through social engineering, acting as customer support, or by tricking wallet holders in fake verification processes. 

Cisco Talos

While Web3 is still in development, it is worth taking the time to familiarise yourself with this technology -- especially if you plan to explore the decentralized world in the future. 

Cisco Talos also recommends implementing basic security measures, password managers, multi-factor authentication (MFA), and most importantly, remembering that you should never hand over your seed phrases. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards