Phishing Campaign Goes Cutting-Edge With IPFSAttackers Using Decentralized File Protocol to Deliver Phishing Pages
Spammers behind credential harvesting attacks are taking advantage of a distributed file protocol to distribute customized phishing links. Because the system, the InterPlanetary File System, is designed to be resilient against content takedowns, scammers are using it to deliver phishing emails at scale, say researchers from Kaspersky.
IPFS works as a peer-to-peer network of nodes that each store shards of files that are reachable through a unique fingerprint its designers dub a "content identifier." The idea is to store and retrieve files via their content identifier rather than their location on a remote server. Protocol inventor Juan Benet described it in a white paper as being analogous to "a single BitTorrent swarm, exchanging objects within one Git repository."
The protocol is good for cybercriminals in that it lets attackers cut back on phishing web page hosting costs, and its distributed nature makes it near impossible to delete files.
"If somebody wants a file to disappear from the system completely, they can urge its owners to delete it, but the method will probably never work with cybercriminals anyway," wrote Kaspersky researchers. Users can access the IPFS protocol through client software or through a gateway on the web. Gateway providers attempt to delete links to fraudulent sites, Kaspersky adds, but "detection and deletion of links at gateway level does not always happen as quickly as the blocking of a phishing website.
The cybersecurity firm says it first spotted URL addresses of malicious IPFS files in October. Last month was the busiest month yet for IPFS phishing activity, and Kaspersky detected nearly 400,000 attempts. The scammers upload HTML files containing a phishing form into IPFS and then attempt to get victims to click on proxy links that lead them into a gateway to access the file.
The URL parameter into the gateway includes the phishing recipient's email address, allowing the phishing page to change appearance according to the bait.
"This way, one link can be used in several phishing campaigns targeting different users, sometimes even in dozens of campaigns," Kaspersky researchers wrote.
Cybersecurity firm Trustwave last year also reported observing IPFS phishing.