Threat groups are increasingly turning to InterPlanetary File System (IPFS) peer-to-peer data sites to host their phishing attacks because the decentralized nature of the sharing system means malicious content is more effective and easier to hide.
Threat analysts with cybersecurity vendor Trustwave this week said the InterPlanetary File System (IPFS) is becoming the “new hotbed of phishing” after seeing an increase in the number of phishing emails that contain IPFS URLs.
At the same time, Atif Mushtaq, founder and chief product officer at anti-phishing company SlashNext, told The Register that his company is detecting phishing hosted on ipfs.io, cloudflare-ipfs.com and other vendor systems.
“These types of attacks are part of the evolution of hackers using trusted domains to host their phishing attacks,” Mushtaq said. “The benefit of using trusted domains is they are very hard to detect with reputation-based threat detection, which is being used widely by organizations to protect users.”
Trustwave researchers in a blog post this week wrote that they have seen more than 3,000 emails over the past 90 days containing phishing URLs that have used IPFS, adding that “it is evident that IPFS is increasingly becoming a popular platform for phishing websites.”
Phishing continues to be the scourge of enterprises and a primary means for cybercriminals to compromise user systems and open the door to malicious payloads. Cybersecurity firm Proofpoint in a report earlier this year said that 83 percent of more than 4,000 people surveyed said their companies sustained at least one email-based phishing attack in 2021 and that 78 percent of organizations saw email-based ransomware attacks.
The next big thing
The use of IPFS is a way for attackers to make their phishing content more persistent, more easily distributed, and more difficult to detect. Most data traffic over the internet uses HTTP, which uses a centralized client-server approach, according to Trustwave. IPFS – which stands for InterPlanetary File System – is different.
Created in 2015 as a distributed P2P system for sharing files, websites, applications, and data, IPFS delivers a decentralized approach to the web.
This means “contents are available through peers located worldwide, who might be transferring information, storing it, or doing both,” the Trustwave researchers wrote. “IPFS can locate a file using its content address rather than its location. To be able to access a piece of content, users need a gateway hostname and the content identifier (CID) of the file.”
Shared files are distributed to other systems that essentially operate as nodes in a networked file system. Those files can be accessed when needed and are retrieved from any other node on the network that has the content. In a centralized network, if a server is down or a link is broken, the data is not accessible.
With IPFS, the data is persistent – and that includes any malicious content stored on the network. Even if the malicious content is removed in one node, it is likely still available in other nodes. Such content also is difficult to discover even in a legitimate P2P network because there is no Uniform Resource Identifier (URI) for locating and blocking malicious content, the researchers wrote, adding that “with data persistence, robust network, and little regulation, IPFS is perhaps an ideal platform for attackers to host and share malicious content.”
Trustwave showed examples of how cybercriminals are abusing blockchain, Google, and cloud storage services to run their IPFS phishing attacks.
How does it work?
The attacks start as other phishing campaigns do, with the criminals using social engineering techniques to coax victims into clicking on malicious IPFS links in phishing emails made to look like legitimate messages from companies like Azure or DHL.
“One of the main reasons why IPFS has become a new playground for phishing is that many web hosting, file storage or cloud services are now offering IPFS services,” the researchers wrote. “This means that there’s more flexibility for the phishers in creating new types of URLs.”
At the same time, “the spammers can easily camouflage their activities by hosting their content in a legitimate web hosting services or use multiple URL redirection techniques to help thwart scanners using URL reputation or automated URL analysis,” they wrote.
SlashNext’s Mushtaq said that storing HTML content is not a new concept. It’s been around since 2007 when botnets like Mega-d and Srizbi stored their spam sites on botnets, which he described as custom P2P networks.
“However, the advantage in those days was that people wouldn’t mind clicking on http-only and IP-hosted sites,” he said. “Now a HTTP site will be flagged by the browser immediately, so [scammers] have no other option but to use trusted gateways like Cloudflare.”
Darryl MacLeod, vCISO at LARES Consulting, told The Register that the use of IPFS “represents a significant evolution in phishing” and that organizations need to adjust their defenses accordingly. One way is to use DNS sinkholing to redirect traffic and block access to IPFS-based phishing sites. They also can use web filters to block access to those sites.
MacLeod warned that cybercriminals will continue to evolve their attack methods.
“Moving forward, phishers may start using more sophisticated methods for replicating sites, such as using distributed hash tables,” he said. “A distributed hash table is a type of data structure that is often used in peer-to-peer systems, as they provide a way to distribute data across many different machines.” ®