Interplanetary File System (IPFS) Phishing Attack

The Interplanetary File System (IPFS) is a decentralized file storage and access protocol designed to complement blockchain technology. Like the blockchain, the IPFS uses a decentralized network of nodes communicating over a peer-to-peer network to transfer information.

The IPFS enables users to upload, download, and share files via decentralized infrastructure. While this has its benefits, the IPFS can also be used in various cyberattacks.

Read the Forrester Wave™ Report Request a Demo

How Attackers Use IPFS in Phishing Attacks

The IPFS offers decentralized, low-cost hosting services. Anyone can upload files — including websites — to the IPFS, where they are accessed based on the file hash or via an IPFS gateway.

 

Using the IPFS, a cybercriminal can implement phishing infrastructure without hosting it themselves. Webpages hosted on the IPFS are static and have the ability to run JavaScript. Additionally, the design of the IPFS makes it very difficult to find these phishing pages, making them more difficult to take down.

How IPFS Phishing Attacks Work

A phishing site hosted on the IPFS is very similar to a phishing site hosted on traditional infrastructure, and the process for performing an IPFS phishing attack is similar to traditional phishing attacks. Some of the key steps in the process include:

  1. Create a Phishing Site: The attacker will create a phishing page that mimics a legitimate website. Various tools are available for creating these lookalike pages.
  2. IPFS Upload: After creating the phishing site, the attacker uploads the content to the IPFS. Once uploaded, this webpage can be accessed based on a unique hash value, which serves as its address.
  3. Link Propagation: The attackers distribute the address of the malicious webpage via various channels, such as email, Telegram, or social media.
  4. User Interaction: When the user clicks on the IPFS link, their web browser contacts an IPFS gateway, which provides access to files saved on the IPFS. This enables the web browser to access and render the IPFS-based phishing site.
  5. Data Collection: The phishing site will be designed to collect some form of sensitive information. For example, the user may be tricked into entering login credentials, credit card information, or other sensitive data into the webpage. The page then sends this information to the attacker, who can use it in further attacks.

After the attacker has collected enough sensitive data, they can take down the phishing page hosted on the IPFS. This makes it much more difficult for victims to track the source of the phishing attack.

Mitigating IPFS Phishing Attacks

Hosting phishing sites on the IPFS is just another way for a cybercriminal to build the infrastructure needed for a phishing campaign and evade detection. Many of the same best practices used for preventing traditional phishing attacks also apply to these IPFS phishing attacks, including:

  • User Education: Like other phishing attacks, IPFS phishing attacks are designed to trick a user into clicking on a malicious link and entering information into a phishing page. Training users to identify these phishing pages and respond properly to attempted phishing attacks can reduce the risk that these phishing campaigns pose to the organization.
  • Multi-Factor Authentication (MFA): Often, IPFS phishing attacks are geared toward stealing login credentials, granting an attacker access to the user’s account on the spoofed site. Implementing MFA makes it more difficult for an attacker to use these stolen credentials since they also need to access another authentication factor.
  • URL Filtering: Browsing to phishing pages hosted on the IPFS requires going through an IPFS gateway. If an organization doesn’t have a legitimate reason to access IPFS content, blocking traffic to IPFS gateway URLs prevents users from browsing to these phishing sites.
  • Threat Intelligence: A cybercriminal will likely use the same piece of content on the IPFS for multiple phishing attacks. Threat intelligence feeds can provide information on malicious IPFS addresses, enabling an organization to block these specific pieces of malicious content.
  • URL Scanning: IPFS phishing page URLs typically have a set structure and point to a phishing page. Web security solutions can identify these phishing URLs and pages and block users from browsing to them.

IPFS Phishing Protection with ThreatCloud AI

The use of the IPFS to host phishing content is just another example of cybercriminals using new methods to make their phishing attacks more difficult to detect and prevent. The IPFS enables an attacker to inexpensively implement phishing infrastructure and can increase the difficulty of identifying and remediating these attacks.

Check Point’s ThreatCloud AI engine provides robust protection against IPFS phishing attacks. ThreatCloud AI identifies suspicious IPFS patterns and other indicators of phishing attacks and uses this information to block IPFS phishing content from reaching the intended recipient.

Check Point Harmony Email & Collaboration offers industry-leading protection against phishing attacks and is recognized as a Leader in the 2023 Forrester Wave for Enterprise Email Security. Learn how Harmony Email & Collaboration can protect your organization against IPFS phishing and other threats by signing up for a free demo today.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK