Hackers are exploiting interest in Metaverse with brand phishing attacks

Seeing the massive interest in Metaverse, cybercriminals have started to target users with phishing scams crafted around various Metaverse platforms. According to the Q4 2021 brand phishing report by Check Point Research, Metaverse platform Roblox was the 8th most imitated brand for phishing attacks during the quarter. Though Roblox accounted for only 3% of all brand phishing attacks, it's the first time brand phishing around a Metaverse platform has made it to the top ten.  

Brand phishing attacks have been quite effective as targets are more likely to click on them to get more information. The metaverse broadly refers to the idea of a virtual platform that can be accessed through different devices and where people can move through digital environments.

Given the huge interest in Metaverse in India, brand phishing attacks around it can be expected to grow more. 

According to the November 2021 report by DappRadar, more than half a million users in India have shown interest in Metaverse projects and NFTs, the third-highest in the world after the US and Indonesia.

In brand phishing attacks, threat actors send carefully crafted fake emails that appear to have come from the brand itself or from one of their partners. The objective is to convince users that the email is genuine and then trick them to click on malicious links or attachments. The ultimate goal is to get into their accounts and system and steal personal information or banking credentials.

Also read: Five Big Cyber Security Trends to watch out for in 2022

Founded in 2006, Roblox is a virtual universe where users can create worlds and share experiences. The platform can be accessed on smartphones, gaming consoles, and VR headsets including Oculus Rift.

Interest in platforms such as Roblox has soared after the pandemic and the shift to remote work and learning. Its monthly active user base grew to 202 million in April 2021 from 146 million in April 2020, as per RTrack. Over 30 million users were added to the platform after Facebook CEO Mark Zuckerberg revealed his plans to transform into a Metaverse company and changed the company's name to Meta Platforms to reflect it. 

Last month, actor and singer Paris Hilton launched her Metaverse business on Roblox.  Hilton created an island called Paris World, where visitors can explore a digital version of her Beverly Hills estate.  In November, Nike launched its virtual world called Nikeland on Roblox where users can outfit their digital avatars with the latest Nike products. 

The growing use of the Roblox brand name for phishing is also concerning as over 50% of its user base is under 13 years of age, as per Statista. 

Security experts are wary about the risks Metaverse poses, especially as they are increasingly being linked to non-fungible tokens (NFTs) and cryptos. 

Nick Biasini, Head of Outreach at Cisco Talos believes Metaverse is Cybersecurity's wild west.  "Because the metaverse is tied to this largely unregulated, quasi-new era of cryptocurrency, there’s a huge potential for scams. You have a place with low regulation and low legal recourse for victims — it’s extremely attractive to criminals," said Biasini as per  SDXCentral. 

Rinaldo Pereira, Business Fundamentals Analyst at GlobalData warned, all the crypto, NFT, VR, AR and gaming hype around the Metaverse seems to be overshadowing cybersecurity risks. 

"Businesses will need cybersecurity solutions to avoid fraud in the Metaverse by mitigating privacy concerns in VR and AR, while the largely unregulated crypto and NFTs continue to pose risks," added Pereira.