Hackers could impersonate users to steal credentials or launch ransomware attacks. Microsoft’s head of security Charlie Bell recently said in a blog post that the novelty of the metaverse could pose challenges. “In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face—literally—like an avatar who impersonates your coworker, instead of a misleading domain name or email address,” Bell wrote.
Meta Threats
The metaverse concept is pitched by companies ranging from Meta to Microsoft as a place where users can communicate, work and play inside virtual worlds. But Bell said the seemingly familiar faces would present some unique security risks. “Picture what phishing could look like in the metaverse—it won’t be a fake email from your bank,” wrote Bell. “It could be an avatar of a teller in a virtual bank lobby asking for your information. It could be an impersonation of your CEO inviting you to a meeting in a malicious virtual conference room.” Users are more likely to trust people in the metaverse because they are dealing with an avatar’s representation of an actual human, Rizwan Virani, the CEO of Alliant Cybersecurity, told Lifewire in an email interview. “If an online account is compromised, it may lead to more serious consequences because of this heightened trust,” Virani said. Talos, tech giant Cisco’s intelligence group, recently published a report that found the potential for malicious activities in the metaverse. One area of concern that researchers pointed to involves cryptocurrency. The ability to inspect the contents of any crypto wallet address in the metaverse could allow hackers to trick unsuspecting users into believing they are dealing with a verified organization, such as a bank. “The metaverse is the next iteration of social media, and identity in the metaverse is directly tied to the cryptocurrency wallet that [is] used to connect,” the report’s author Jaeson Schultz wrote. “A user’s cryptocurrency wallet holds all of their digital assets (collectibles, cryptocurrency, etc.) and in-world progress. Since cryptocurrency already has over 300 million users globally and a market capitalization well into the trillions, it’s no wonder that cybercriminals are gravitating toward the Web 3.0 space.” The metaverse holds privacy risks as well. Users should expect their publicly available data to be scraped by intelligence agencies, law firms, and hiring firms, cybersecurity expert and IEEE senior member Kayne McGladrey said in an email interview. “User accounts with easily guessed passwords and a lack of multi-factor authentication will be breached and used for either impersonation or theft of NFTs,” McGladrey said. “And users can expect that multiple foreign intelligence agency troll farms will continue to produce content to sway public opinion and elections, a job which will be made easier by the biometric tracking inherent in modern VR headsets.”
Staying Safe
To stay completely safe, McGladrey advises that you wait to consider joining the metaverse. Eventually, he predicts, a congressional investigation of metaverse security and privacy practices will force changes in response to the “inevitable breaches.” But social media managers, brand advocates, and early NFT speculators may not want to wait before jumping into the metaverse. Those who want to join the metaverse right away should ensure that they have enabled multi-factor authentication on their accounts to prevent the easiest type of account takeovers, McGladrey said. In the future, the metaverse could bring its own unique threats that take advantage of the anonymity afforded by the platform. Recently, the “deepfake,” one of the newest types of misinformation attacks that uses a form of artificial intelligence called deep learning to make images of fake events, was deployed during the war in Ukraine to perpetuate a false Ukrainian surrender, Virani noted. “This same technology could be exploited in the metaverse, making it impossible to verify if you are really conversing and doing business with the human supposedly on the other side of the technology,” Virani said.
