Cisco Talos, an intelligence group that gives intelligence and threats updates has revealed the top security risks in Web 3.0. This latest iteration of the world wide web will include the immersive 3-D experience known as the “Metaverse”, a virtual reality environment where people can explore, shop, play games, spend time with friends, attend a concert, or take part in business meetings.
“As the internet morphs into the metaverse a whole new range of opportunities, capabilities and features are opening up to users, institutions, governments and businesses. Despite all these possibilities, Web 3.0 is also seeing increasing security threats that can be exploited by hackers and criminals. The team of researchers at Cisco Talos has done a deep dive to highlight the most common security challenges, driven by cryptocurrency, blockchain technology, decentralized applications, and decentralized file storage. Plus, they offer insights on what users should look out for to stay safe and protected while online,” said Fady Younes, Cybersecurity Director, Cisco Middle East, and Africa.
Below are the top 5 common security concerns for Web 3.0.
- ENS Domains
Because of the growing popularity of digital currency, more Ethereum Name Service (ENS) domains are being used. The ENS domain is a simple name that is used to locate the linked bitcoin wallet address. As a result, third parties have trademarked and resold famous domain names. Consequently, there’s nothing stopping the owner of an ENS domain from using it to dupe naïve users into thinking they’re dealing with a reputable company. These ENS domains also point to wallet addresses, allowing anyone to view the contents of the wallet connected with the name at any moment.
- Social engineering
The risk of social engineering is always present while learning a new technology, and Web 3.0 is no exception. The majority of security incidents impacting Web 3.0 users are caused by social engineering tactics such as wallet cloning. Users should be wary about being duped into sharing their “seed phrase.” A user can restore their wallet and all its contents if their bitcoin wallet is lost or destroyed by utilizing a 12 to 24-word “seed phrase,” which is effectively their private key. Anyone with access to a cryptocurrency wallet’s seed phrase (private key) can clone it and use it as their own. As a result, many fraudsters looking to steal cryptocurrencies or non-fungible tokens (NFTs) look for a user’s seed phrase.
- Beware of fake customer support agents
Another tactic attackers employ to remove users from their seed phrase is to impersonate a customer service worker who responds to publicly posted Twitter or Discord server queries. Criminals keep an eye on these channels and will contact people to offer “assistance” in exchange for their seed words.
- Whales
Whales are high-profile cryptocurrency accounts that possess significant amounts of cryptocurrency or NFTs. According to some estimates, 40,000 whales possess 80% of all NFT value, making them a desirable target for cyber thieves. Scammers realize that many lesser investors keep an eye on these whales’ wallets, therefore they will use social engineering to persuade them to invest in their own fictitious enterprises. The source code for the smart contract in most valid NFT projects is readily available. For potential investors, the fact that the code for this project has not been provided should be a red flag.
- Malicious smart contracts
While some attackers target weaknesses in valid smart contracts, others create their own malware and upload it to the blockchain as malicious smart contract code. Malicious smart contracts feature all of the regular smart contract functions, but they operate strangely.