Kaspersky Lab researchers note that phishers have begun to use the Interplanetary File System (IPFS) technology in Web 3.0 email attacks more frequently. In the first three months of 2023, more than 800,000 such malicious emails have already been detected in the Russian Federation, while in the last months of 2022, from 2,000 to 15,000 phishing emails with IPFS links per day were observed.
Experts remind that IPFS is a peer-to-peer distributed file system that allows users around the world to share files. Unlike centralized systems, IPFS uses addressing by a unique file identifier (CID, content identifier), and not by the path to it.
The CID is generated from the hash of the file and written to a distributed hash table that also contains information about who owns the file. The file itself is located on the computer of the user who “loaded” it into the system, and is downloaded directly from this computer. The structure of IPFS is somewhat similar to BitTorrent, which is also a distributed network where files are exchanged directly between users’ devices.
By default, in order to “upload” a file to IPFS or download it from there, you need a special IPFS client. So that users can freely view the files contained in IPFS without installing additional programs, there are so-called gateways. Essentially, a gateway is a server with access to IPFS. You can open a file through a gateway using a URL, usually containing the gateway address, an indication of the IPFS system, and the CID of the file. The URL formats can be different, for example: https://gateway_address/ipfs/CID or https://CID.ipfs.gateway_address.
At the end of 2022, Cisco Talos analysts already warned that attackers were starting to use IPFS to host payloads, phishing kit infrastructure, and facilitate other attacks.
Now, Kaspersky Lab has come to similar conclusions and reports that IPFS has become more commonly used in email phishing attacks. By them with Apparently, hackers place HTML files with a phishing form on IPFS and use gateways as proxy servers so that victims can open such a file, regardless of the presence of an IPFS client on their devices. Attackers insert links to access the file through the gateway into their malicious emails, which they send to potential victims.
Using IPFS allows scammers to save on hosting phishing pages. Also, you cannot delete a file from IPFS that is hosted by another user or multiple users. If someone wants a file to completely disappear from the system, they can require its owners to delete it themselves, but this method is unlikely to work with scammers.
Companies that provide IPFS gateways are trying to combat IPFS phishing by regularly removing links to fraudulent files. However, identifying and removing links at the gateway level is not always as fast as blocking fraudulent sites, cloud forms, and documents. The researchers write that they encountered IPFS file URLs that appeared in October 2022 and continue to work even now, in March 2023.
In general, phishing emails containing IPFS links are not original; this is typical phishing, the purpose of which is to get the username and password from the victim’s account. The situation is slightly different with an HTML page that is located via a malicious link. The URL parameter contains the email address of the recipient. If you change it, the content of the page will also change: the company logo above the phishing form and the email address entered in the login field. Thus, one link can be used in several phishing campaigns targeting different users, and sometimes in several dozen campaigns.
The “logo change” effect is achieved with a simple JavaScript code. This script gets the domain from the URL parameter of the page and substitutes it into the URL of the Google resource from which the logo icon is loaded.