The Metaverse Could Become a Top Avenue for Cyberattacks in 2023

Expect to see attackers expand their use of current consumer-targeting tactics while exploring new ways to target Internet users — with implications for businesses.

4 Min Read
metaverse concept. man with virtual reality VR goggle playing AR augmented reality game
Source: thinkhubstudio via Shutterstock

A combination of maturing and emerging consumer-facing cyber threats could add to the many challenges that enterprise security teams will need to contend with in 2023.

Researchers at Kaspersky, looking at how the cyber threat landscape will likely evolve over the next year, expect that threat actors will expand use of many of their current tactics while exploring new avenues for attack via social media, streaming services, and online gaming platforms.

For business admins, the expansion of brands into the world of the metaverse (the theoretical universal and immersive virtual world of the Internet, facilitated by the use of virtual reality and social media) could open them up to attack. And in the era of remote work and bring-your-own-device (BYOD), any consumer threat is potentially an enterprise one, so IT security teams would do well to follow the trends in this space.

Attacks Using Current Techniques Will Grow...

The security vendor for example expects that cybercriminals will continue to take advantage of the post-pandemic surge in consumer interest around online streaming services to try to distribute malware, steal data, and execute other malicious activity.

Many of the attacks will target individuals looking for alternate sources for downloading a legitimate streaming app, or a particular episode of a show. Expect to see cybercriminals use widely anticipated titles and streaming service provider names such as Netflix, Hulu, and Amazon Prime Video as lures to get users to download malware or to direct them to phishing sites, according to Kaspersky.

Consumers will also face more gaming subscription fraud and scams that involve online currencies and artifacts. Attackers will primarily target games that use currencies and allow sale of in-game items and boosters because they give threat actors a way to process money obtained from other illegal activities.

In a report earlier this year, Kount, an Equifax-owned fraud protection service, also identified online currencies as offering a plethora of opportunities for adversaries to launder money and carry out payment card fraud. "For example, a fraudster creates a free account for an online multiplayer game then uses stolen credit cards to fill up the account with in-game currency and skins," Kount researchers had noted, adding, "Once the account is loaded, the fraudster sells it on a trading site," for anywhere between several hundreds to several thousands of dollars.

Kaspersky expects that attackers will also try to exploit a continuing shortage in the availability of popular gaming consoles via fake pre-sale offers as well as fraudulent giveaways and discounts from online stores purporting to sell hard-to-find consoles.

...Even as Threat Actors Explore New Attack Avenues

Meanwhile, the metaverse, online education platforms, and certain categories of health-related apps will all become new avenues for attack in 2023, Kaspersky said.

Privacy will emerge as a major concern in the metaverse, Kaspersky predicted. "As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification," Kaspersky said.

Others have also expressed concern over the increased amount of personal information that will be collected in fully immersive environments via VR headsets and their collection of cameras, microphones, and motion trackers. Many expect the data will reveal a lot about a user's location, appearance, and other private information while also enabling attackers to carry out more sophisticated phishing and social engineering scams.

At least some of the attacks in virtual reality and augmented reality environments will involve virtual abuse and sexual assault — such as that involving cases of avatar rape, Kaspersky said.

The security vendor pointed to an incident where an avatar associated with a researcher at a nonprofit advocacy group was raped on a metaverse platform owned by Meta as one example of the kind of issues consumers can increasingly run into.

Despite efforts by technology companies to build protection mechanisms into metaverses, "virtual abuse and sexual assault will spill over into metaverses," Kaspersky said. "As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023."

"The metaverse represents an area where consumer threats will be different from years past," says Anna Larkina, a security expert at Kaspersky. "Fake, malicious VR and AR apps, as well as privacy risks and potential abuse associated with this new frontier, will account for threats we haven't necessarily seen before," she says.

Certain kinds of apps — such as those related to meditation or those where a consumer might offer a hint of their current emotional state — could become another new attack avenue, Larkina says.

"It is easy enough to imagine a variety of applications for meditation, in which you indicate your current state/emotions, and they select the appropriate course for you," she explains. "Such data can easily be collected and stored in order to track the state of the user and offer them suitable meditation practices." An attacker that gains access to such data could execute successful spear-phishing and social engineering scams in a highly targeted manner, she notes.

Attacks targeting consumers should matter to enterprise security teams because attacks on companies quite often involve the human factor, Larkina says. "If the system is technically secure enough, then you can get inside the system by 'hacking' employees of the company."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights