To successfully run a phishing operation, cybercriminals do generally need to host phishing pages online. The victims connect to it and provide their credentials or credit card number to it, falling for the fraud.
Phishing campaigns are generally detected within minutes, because they tend to target a lot of people and some of them immediately report it to security companies or CSIRT (computer security incident response team) teams. Those teams might investigate the case, but generally the first priority is to have the web content being shut down, so that any people clicking on the fraudulent link a bit later cannot access it. It can be a matter of minutes or a few hours before the phishing content is taken down.
This explains why cybercriminals do spend a large amount of time in either compromising websites to host their phishy content or register some free web hosting service and store their content. Increasing the availability and uptime for their phishing pages definitely sounds like a good idea for cybercriminals. This is where IPFS comes in.
What is IPFS?
IPFS stands for interplanetary file system. IPFS is a peer-to-peer network and protocol for hosting data that was created in 2015. It is built on a decentralized system, kind of the same way as torrents. Users can access the content via an address, and other peers can find and request the content from any node who has it using a distributed hash table (DHT).
Users who are not part of that global IPFS network can access its content by using various IPFS gateways (Figure A).
Any file stored on IPFS can be retrieved via a unique Content Identifier (CID) using the following convention:
Any file requested from IPFS is served via any participating node on the network.
What are IPFS benefits for cybercriminals?
Phishing pages sitting on IPFS are trickier to take down, compared to usual phishing pages hosted on the clear web. Since several IPFS nodes can host the content, the phishing page could stay online for an undetermined period that could last for months, or naturally vanish if no node is hosting it anymore.
To be sure to have this fraudulent content taken down, it takes more effort than usual for cyberdefenders. They need to reach all the gateways that lead to the file and ask for removal of the content from their cache.
Luckily enough, even if the content stays online, the links to the fraudulent content can always be reported to anti-phishing services such as Google Safe Browsing, which will quickly have the links flagged as malicious and prevent users from accessing it.
SEE: Mobile device security policy (TechRepublic Premium)
IPFS phishing examples
Researchers from the SpiderLabs team at Trustwave exposed a few IPFS phishing cases recently.
The Chameleon phishing page is a phishing page that changes its appearance based on the email address of the victim. The phishing page actually loads a logo and background content based on the email address (Figure B).
Another example provided by Trustwave shows a phishing email pretending to come from Microsoft, about an Azure subscription. The email contains a malicious HTML file leading to a phishing page actually hosted on the IPFS network (Figure C).
Once the user has opened the attachment, the phishing page is accessed, hosted on the IPFS network. It requests the user to click a contact link, then the phishing page asking for the user’s Microsoft credentials is shown (Figure D).
A threat that will keep growing
IPFS is not a brand new technology, yet the adoption of it by cybercriminals is a new phenomenon that was predictable. Every time a new technology evolves, there are always criminal minded people to pervert it for their needs.
Trustwave indicates that they have observed more than 3,000 emails containing phishing URLs that have used IPFS for the past 90 days and mentions that “it is evident that IPFS is increasingly becoming a popular platform for phishing websites.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
What can be done against IPFS phishing?
As told, IPFS is a peer-to-peer network which makes content take down harder. When it only requires to report a phishing page to a hosting company or a DNS provider to have it shut down when it is stored in the usual web, it requires addressing all IPFS gateways which leads to the fraudulent content to have it shut down.
The faster possibility to prevent such phishing pages from being accessed by internet users is to report it to anti-phishing services that will block access to all users running those services.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.