The distributed, peer-to-peer (P2P) InterPlanetary File System (IPFS) has become a hotbed of phishing-site storage: Thousands of emails containing phishing URLs utilizing IPFS are showing up in corporate inboxes.
According to a report from Trustwave SpiderLabs, the company found more than 3,000 of these emails within its customer telemetry in the last three months. They lead victims to fake Microsoft Outlook login pages and other phishing webpages.
The Astronomical Advantages of IPFS
IPFS uses P2P connections for file- and service-sharing instead of a static URI resource demarked by a HTTP host and path, according to the Thursday analysis — which offers big benefits for malicious users.
For once, IPFS is designed to be resistant to censorship by making content available in multiple places — meaning that even if a phishing site is taken down in one place, it can quickly be distributed to other locations. This makes it very difficult to stop a phishing campaign once it's started.
"In a centralized network, data is not accessible if the server is down or if a link gets broken. Whereas with IPFS, data is persistent," the report notes. "Naturally, this extends to the malicious content stored in the network."
P2P also gives those phishers an additional layer (and potentially multiple layers) of obfuscation because the content doesn't have a static, blockable address — and this bolsters a greater likelihood of phishing emails evading scanners and arriving in a victim's inbox.
"So, in addition to the benefits for attackers [related to] 'traditional cloud services,' this layer of obfuscation provides the attackers with additional benefits," Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading.
Furthermore, because IPFS is a decentralized system, it means there is no central authority that can take down a phishing site. This makes it much harder for law enforcement and security researchers to take down phishing sites hosted on IPFS.
"This represents a significant evolution in phishing, as it's now much harder to take down phishing sites and block access to them," says Atif Mushtaq, founder and chief product officer at SlashNext, an anti-phishing company. "Organizations need to be aware of this new development and adjust their defenses accordingly."
He explains that one way to do this is to use DNS sinkholing to block access to IPFS-based phishing sites. That's a technique where DNS requests for a phishing site are redirected to a dummy server.
"This prevents users from accessing the phishing site, as they will only be able to reach the dummy server," Mushtaq says. "Organizations can also use Web filters to block access to IPFS-based phishing sites."
More Sophisticated IPFS Tactics Likely to Emerge
Mushtaq warns that phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables (DHTs), a type of data structure that is often used in P2P systems, which provide a way to distribute data across many different machines.
Sigler says there will likely be greater adoption of IPFS by malicious actors, which will have the effect of making the technique more common and likely easier to spot.
"However, with more focus from those attackers, we will likely see more creativity brought to the table and IPFS utilized in ways we haven't see yet," he adds.
Phishing Overwhelms Orgs
Phishing attacks are already causing massive security headaches for organizations: Just this week, Ducktail was discovered targeting marketing and HR professionals through LinkedIn to hijack Facebook accounts. And earlier this month, Microsoft announced that 10,000 organizations were targeted in a phishing attack that spoofed an Office 365 authentication page to steal credentials.
Sigler explains that using IPFS for obfuscation can provide security admins with a new attack vector that they may not have considered before.
"We recommend educating yourselves and your staff about how IPFS works and take a look at the specific examples in the blog post for how IPFS is utilized in specific ways," he says. "Given how it's being utilized by phishing campaigns right now, we also recommend monitoring for unexpected email for URLs that contain IPFS pointers."
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says the first response with phishing is always the same: better user education.
"A phisher, in any of their myriad forms, relies on a target not being attentive and falling for their bait," he explains. "Here, the attackers are using IPFS to help conceal their origin, but a prepared user should be able to see through the ruse and not take the bait."
He points out it's hard to say how threat actors will alter their techniques going forward.
"As defensive tools get better, the attackers adapt and improve their game. The challenge is getting the users educated to recognize these attacks and not take the bait," he explains. "Moving to IPFS for distribution gives threat actors some advantages but doesn't change the fact that a lot of these attacks rely on the victim not realizing they are being attacked."