Summary
Netskope Threat Labs is tracking phishing campaigns abusing InterPlanetary File System (IPFS) to deliver their payloads. From March 1 to April 30, Netskope Threat Labs has seen a 7x increase in traffic to IPFS phishing pages. The attacks have been targeting victims mainly in North America and Asia Pacific across different segments, led by the financial services, banking, and technology sectors.
IPFS was first launched in 2014 and has been steadily increasing in popularity since. As with any popular technology, cyber-criminals find ways to abuse it. In this blog, we provide users an overview of how IPFS works and how attackers are abusing IPFS to host traditional credential phishing campaigns.
What is IPFS?
InterPlanetary File System (IPFS) is a protocol that allows decentralized file storage and delivery networks. It is a peer-to-peer (P2P) system that uses content addressing instead of location addressing.
Files uploaded to IPFS are assigned a unique identifier called CID or Content Identifier. It is a string of characters generated through the file content’s cryptographic hash. The CID serves as a permanent address of a file and can be used by anyone to find it on the IPFS network.
Files added to IPFS are stored on several independent nodes. If one or multiple nodes goes offline, other nodes can still serve up the file. Since it is decentralized, the content is censor-resistant, so it’s difficult to remove the content as you will need to remove it from multiple independent nodes.
Those who do not host a node can still download files in IPFS using an IPFS gateway. IPFS gateways bridge HTTP to IPFS, helping users navigate IPFS content using traditional web browsers. A list of current IPFS gateway lists is found here.
Users may use the URL format to identify whether the content they are downloading is hosted on IPFS.
IPFS URL formats:
- hxxps://<gateway URL>/ipfs/CID/optional_path/file.html
- hxxps://<CID>.ipfs.<gateway>/optional_path/file.html
There are multiple ways to upload and share files on IPFS:
- IPFS Desktop Application
You may install an IPFS application to make your local device a node. This allows you to store your file locally. To share the file, you may provide the Content Identifier (CID) to IPFS users, or share the URL link to those who are not.
When you install an IPFS application, you can also store files from other nodes.