Art installation "Machine Hallucinations – Space: Metaverse" by media artist Refik Anadol.
- Spiking interest in the “metaverse” is making it a hotbed for scams and cyberattacks.
- Cisco researchers report cybercriminals using new methods like malicious smart contracts to defraud people.
- In an interview with Insider, they outlined the steps businesses can take to avoid scams.
The metaverse push may be new, but business in the virtual world is already booming as companies, investors, and individual consumers spend billions on digital goods.
But the rapid influx of cash — along with the fact that the space is almost entirely unregulated — has made the metaverse a hotbed for scams and cyberattacks, according to threat researchers from Cisco’s Talos Intelligence Group.
“There’s a huge potential for things like fraud and other traditional crimes, without there having the safety precautions that you have in other areas,” Cisco Talos head of outreach Nicki Biasini told Insider. “And for the people affected by these scams, there’s not a lot of recourse.”
Some of the scams Talos logged resemble tactics dating back to the earliest days of the internet, when bad actors posed as reliable sellers to trick people into spending money or handing over personal information. But new technology inherent to the metaverse — which relies on cryptocurrency payments and assets that live on the distributed architecture known as the blockchain — are giving scammers new avenues to defraud people.
One new type of cyberattack relies on smart contracts, or pieces of code on the blockchain that automatically run when certain conditions are met. In theory, smart contracts guarantee that a buyer will receive a digital asset like an NFT once they submit payment, but scammers are increasingly setting up malicious smart contracts that don’t do what they advertise.
“We’re seeing malicious smart contracts where they get you to approve a transaction, but you’re actually executing a function that gives a third party access to all the tokens and cryptocurrency in your wallet,” Talos technical lead Jaeson Schultz told Insider. “It’s very easy for people to fall for these things because very few people are actually gonna take the time to actually read the smart contract, even if it is published.”
Talos researchers have also seen cybercriminals posing as trusted brands to trick people into spending money. For example, one user on Ethereum, a popular blockchain platform, has claimed domain names like wellsfargo.eth, bloomingdales.eth, and foxnews.eth, which could open the door to scams where they pose as those brands to defraud people.
And because blockchain architecture is decentralized without a single administrator, there’s no recourse to return those domains to their rightful owners.
“There’s nothing that anyone can do to take these away. Once it’s minted on the blockchain, it’s essentially permanent. So this opens the door for a large amount of fraud,” Schultz said.
To avoid falling victim, Schultz recommends people or companies doing business in the metaverse should avoid sharing any information about the assets they own, which could make them a target for scammers.
Buyers should also carefully read smart contracts before signing them, he added. For an added level of caution, people carrying out transactions should transfer the exact amount of cryptocurrency to a separate wallet rather than connect their main wallet.
“Because people are new to this space, it’s creating opportunities for these attackers. So our best weapon right now is educating people about what to look out for,” Schultz said.