Security researchers share a new trend in phishing campaigns which now utilize the so-called IPFS URLs as payload.
The discovery comes from TrustWave researchers who came across a site called the Chameleon Phishing page. Websites like this one can change their background and logo depending on the user’s domain making it highly efficient in phishing attempts. The Chameleon Phishing Page is stored in the so-called IPFS (InterPlanetary File System). An analysis of the used URLs revealed that threat actors are increasingly using phishing emails that contain IPFS URLs.
Why Do Phishing Operators Use IPFS?
More than 3,000 such emails were discovered for the past 90 days confirming the theory that IPFS is a preferred platform for phishing operators.
What is IPFS? Short for InterPlanetary File System, the platform was established in 2015 and is a distributed, peer-to-peer file-sharing system for storing files, websites, apps, and related data. The stored content is available through peers who can both store and/or transfer information.
More specifically, the system can locate a file via its content address rather than its location. To be able to access any content, users need a gateway hostname and the content identifier (CID) of the file. The system is aimed at sustaining a decentralized web that relies on peer-to-peer communications.
So, how do phishers take advantage of that? In IPFS, shared files are distributed to other machines in a way similar to how nodes work, and as such, they can be accessed whenever needed. Furthermore, the file can be retrieved from any participating note on the network that has the requested content, the researchers explained. This makes data in the IPFS environment persistent, whereas in a centralized network where data is not accessible if the server is down or a link is broken.
Here comes the first advantage for phishing campaigns. “Taking down phishing content stored on IPFS can be difficult because even if it is removed in one node, it may still be available on other nodes,” the report noted. Furthermore, it can be difficult to locate malicious traffic in a legitimate peer-to-peer network. “With data persistence, robust network, and little regulation, IPFS is perhaps an ideal platform for attackers to host and share malicious content,” the researchers added.
This week, security researchers from IronNet reported the emergence of a new phishing-as-a-service platform. Called RobinBanks, the platform offers ready-made phishing kits enabling access to financial details and personal information of individuals in the U.S., the U.K., Canada, and Australia.