Cyber criminals ‘smell’ opportunities to exploit new ecosystems
The metaverse or virtual reality space is gaining attention from a wide-range of people, businesses, venture capitalists as well as governments.
However, a massive component of the ecosystem are cyber criminals looking for opportunities to scam, said Anna Collard, SVP of content strategy and evangelist, KnowBe4 Africa.
Collard made the comments at the ITWeb Security Summit last week, during her presentation about the security challenges of the metaverse, non-fungible tokens (NFTs) and the blockchain ecosystem.
Dubbed the next evolution of social connection, a “metaverse” is a virtual reality space where users in different parts of the globe can interact with each other and with virtual beings in a computer-generated environment.
South Africa’s metaverse and NFT market is expected to gain popularity this year, as more local companies dabble with immersive technologies to deliver operational and revenue improvements.
Collard noted that criminals are looking to take advantage of the fact that it’s [metaverse] such a new environment and people are a bit naïve and don’t know better – they take full advantage of that.
Explaining some of the security risks that exist, she said: “From the user-level, there is social engineering, phishing, etc. There is specific malware that is written to target people that play in this space.
“Clipper, for example, steals whenever you copy paste…you pay somebody else to use their public key, which is this long string. Nobody types it out, you just copy paste it. What Clipper does is steal that one and replaces it…whatever you were transferring goes to the attacker.”
She continued: “Distributed apps, apps are written by people and people make mistakes, and there are software vulnerabilities. The platforms themselves, a lot of them suffer from traditional vulnerabilities, they have to do key management to store the private keys.
“A lot of the custodial platforms that look after the private keys of their customers, they are really hot property because if I can get into them, I can get the customers’ wallets or the assets that the custodian is looking after.
“There are lots of trading malpractices; it’s little bit like the Wild West. No know your customer (KYC) rules, no anti-money laundering rules, etc. Even though that’s changing now, a lot of the legitimate exchanges and platforms are looking at complying with more traditional regulations.
“America, as part of the ransomware fight, is putting pressure on the exchanges to comply with regulation. Still, there is a lot of Wild West thing going on.”
Collard pointed out that the amount of money that has been stolen in this space makes ransomware and cyber extortion criminals look like kindergarteners.
“Just this year alone, $1.9 billion have been exploited just from the DeFi [decentralised finance] protocols and the platforms themselves. That’s a lot of money to be stolen in the first five months.
“Another typical attack is when they exploit vulnerabilities in the smart contracts themselves, pretty much what we’re used to in the Web 2.0 old world,” she stated.
She pointed out there’s a lot of existing regulations like anti-money laundering, or KYC that can be relatively easily applied to the centralised organisations, like the exchanges, etc – and it’s happening right now.
“If something goes really decentralised…it will become really interesting from a regulative point of view. How do we regulate these organisations that are not actually business entities? Maybe the regulation technology can also be part of that and verify certain things automatically.”