InterPlanetary File System (IPFS) is a decentralized file system solution that has been the target of several phishing campaigns. Researchers from the cyber security firm Trustwave SpiderLabs said that they discovered more than 3,000 emails containing IPFS phishing URLs as an attack vector by the threat actors of hacking groups.
IPFS is a protocol and peer-to-peer network or distributed system for storing, and accessing files, websites, applications, and data. IPFS uses cryptographic hashes instead of URLs and these hashes are unique content identifiers. It is a distributed system where the stored data can be accessed from multiple computers and customers can access the data without the involvement of a cloud service this is why identifying phishing links are difficult to process in IPFS. Security researchers say, “Taking down phishing content stored on IPFS can be difficult because even if it is removed in one node, it may still be available on other nodes.” As URLs can be useful identifier links to track and block malware-related phishing links.
Security researchers say that customers using the domain such as an infected IPFS can see a document or track a package or renew their Azure subscription but each time they provide the name, address, and other credentials, they will be unknowingly sending them to a remote server. According to cyber security researchers, “With data persistence, robust network, and little regulation, IPFS is perhaps an ideal platform for attackers to host and share malicious content.” Researchers also added that the phishing links are being used on the decentralized cloud services on the IPFS server by saying, “Phishing techniques have taken a leap by utilizing the concept of decentralized cloud services using IPFS.”
Security researchers also said that the use of PhaaS has been observed in IPFS phishing campaigns. PhaaS is a trend called phishing-as-a-service, initiates by the use of off-the-shelf phishing kits that offer an easy entry for the threat actors. IPFS was observed using a 4-month-old PhaaS platform to steal credentials and financial information. A security researcher said, “While the primary motivation for scammers using this kit appears to be financial, the kit does also ask victims for their Google and Microsoft credentials after they travel to the phishing landing page, indicating it could also be used by more advanced threat actors looking to gain initial access to corporate networks for ransomware or other post-intrusion activities.”
