The term “metaverse” was first used in Neal Stephenson ‘s 1992 cyberpunk novel Snow Crash. The novel depicts a virtual world that can be explored using an avatar, providing the player with a fully immersive experience. Similar worlds can now be found in massively massively multiplayer online role-playing games (MMORPGs) such as Roblox, Minecraft, Fortnite, and Second Life, which are depicted in Snow Crash. I have to say that it is still far from an immersive experience.
In the latest conception, the metaverse consists of multiple virtual spaces that are independent but connected. This makes it impossible for one company to build the entire metaverse on its own. Even with an optimistic outlook, it will take 5–10 years for a full-fledged metaverse to fully roll out. Metaverse games and applications already exist, such as Decentraland, Crypto Voxels, Minecraft, and Second Life, but they are primarily designed for gamers rather than the general public. In the future, Trend Micro believes that everyday activities such as remote work, entertainment, education, and shopping will take place in the next generation of Metaverse-like applications. Many of these applications naturally share cyberspace. Ultimately, as the underlying technologies (hardware, software, network infrastructure, and ubiquity) mature, it will morph into a single metaverse. In this shared space, users can easily switch between applications and access the Metaverse using a wide variety of hardware.
But the Metaverse also attracts crimes that exploit its unique characteristics. This blog provides an overview, and a research paper provides more details.
What exactly is the Metaverse?
There are many opinions about what the Metaverse is and how it fits into the Internet picture. Trend Micro has created the following interim definitions to aid research:
The Metaverse is a cloud-distributed, multi-vendor, immersive interactive operating environment that users can access using a diverse category of connected devices, both static and mobile. The Metaverse uses Web 2.0 and Web 3.0 technologies to implement an interaction layer over the existing Internet. Metaverse is proposed as an open platform for working and gaming within VR/AR/MR/XR environments. This is a similar concept to existing MMORPG platforms, but while MMORPGs each represent their own single virtual world, the Metaverse allows players to seamlessly move between multiple virtual spaces with their virtual assets. The Metaverse is not just a platform for human users. It is also the communication layer of smart city devices, which allows humans and AI to share information.
In essence, the Metaverse will be the Internet of Experiences (IoX) . However, it is quite to be expected that this definition will evolve as the concept of the metaverse evolves.
What Threats Affect the Metaverse?
Predicting cyber threats to a product space that does not yet exist and may or may not exist in the form we imagine it to be is difficult. With this in mind, Trend Micro has consulted to better understand the Metaverse and identify threats to and within the Metaverse.
NFTs
Various opinions have been expressed about the use of non-fungible tokens (NFTs) within the metaverse. An NFT is a unique unit of data that is recorded on a blockchain and can be traded. NFT data can include hashes and links to digital files (text, photos, video, audio, etc.) to verify ownership of digital assets. NFTs manage asset ownership but do not store assets, exposing users to threats such as ransomware attacks. Once the files are encrypted by the ransomware, the NFT owner will not be able to access the files. Additionally, assets can be effectively stolen if the underlying blockchain is vulnerable to Sybil attacks .
Scammers can also mimic NFTs by subtly tampering with a few bits of data in “protected” files to sell essentially the same digital asset. As demonstrated by Moxie Marlinspike, assets can also be manipulated by modifying the content returned from the URL stored within the NFT.
In addition, there are security issues around asset transfers. Moving digital assets between metaverse development solutions spaces incurs costs. This is because assets must be validated, and incompatible assets must be “converted” before they can technically be used on different platforms. Asset brokers are used for this, but scammers posing as asset brokers can trick users.
Until best practices and rules are established, virtual trading routes risk becoming lawless. If it is firmly rooted in blockchain technology, it will be an inherently chaotic market. There is no clear government agency or legal entity to help in the event of fraud. Existing attacks such as phishing and drive-by downloads are also more effective because of the trust that this interactive space creates.
Darkverse
The Darkverse will be similar to the Dark Web and will be an anonymous space for malicious users to interact. This pseudo-physical entity mimics the real-life space used for clandestine meetings and is suitable for criminals to facilitate illegal activities. On the other hand, it can also be a safe space to speak freely against oppressive groups and governments.
The world of Darkverse can be configured to be accessible only when the user is in a designated physical location. Doing so protects a closed metaverse community. The use of location-based and proximity messages will make it difficult for Law Enforcement Agencies (LEAs) to intercept Metaverse data.
The Darkverse is particularly problematic because serious crimes such as child pornography are already a big problem on the Internet. Such crimes are poorly defined from a legal standpoint and are extremely difficult for the LEA to police in the virtual space.
financial fraud
The high volume of e-commerce transactions in the metaverse makes them attractive to criminals looking to steal money and digital assets. In the Metaverse, a new digital economy (using Bitcoin, Ethereum, cash, PayPal, e-Transfer, etc.) will operate, and exchange rates will be controlled by a free (and possibly chaotic) market. This makes it an easy target for criminals looking to manipulate the market. A company that exists only in the metaverse does not belong to any jurisdiction and may be able to avoid income tax. Metaverse investors may also be victims of investment and securities fraud. Moreover, the entwined system of digital currencies, digital assets, and fiat money is at risk of triggering a crash similar to that of the Terra/Luna cryptocurrency in 2022 .
Digital currencies are convenient for receiving funds, but publishers face complex financial issues, possibly at a regulatory level, when users are scammed or transaction issues arise. If a user is scammed or stolen, it is nearly impossible to get help, prosecute, or take legal action when using a decentralized digital currency.
In the Metaverse, we can expect to artificially inflate the value of digital assets through false endorsements, promotions, and investments. For example, the value of virtual ‘land’ is highly impression dependent and can be manipulated by a variety of factors.
social engineering
Social engineering is a broad term for malicious interactions between humans aimed at tricking users into making security mistakes or revealing sensitive information. Social engineering scams are more successful when scammers have more information about their targets. In the Metaverse, operators can use personal information such as gaze, body, voice, and motion tracking to conduct accurate sentiment analysis. All this data is collected and can be stolen or misused.
Criminals and nation-state actors will seek out sensitive and vulnerable groups on specific topics and try to influence them by dropping targeted stories. The metaverse is ideal for deepfakes for criminal purposes. Combining audio and video makes for a powerful voice (and manipulation tool).
Metaverse operators should also be wary of intruders who attempt to mislead Metaverse users by impersonating official avatars. In this case, deepfakes may not be necessary as the avatar’s assets can be easily harvested and replicated. If you can spoof an official avatar skin, you can infiltrate the Metaverse space and do bad things, damaging the image of the impersonated company.
Criminals can also use the metaverse to impersonate doctors and get paid for giving fake medical advice to patients. Fraud in a broader sense includes building fake news worlds and using them as VR honeypots for sensitive information gathering, or malicious advertisers selling trojanized digital products. is possible.
As the Metaverse transcends physical boundaries, people will be easily exposed to scammers from all over the world, and social engineering crimes will become more serious.
summary
The Metaverse is the next evolutionary step in augmented, mixed and virtual reality. The Metaverse uses new technologies to provide users with a fully immersive experience, the Internet of Experiences (IoX). In the Metaverse, users have the impression of participating in real-world events.
The Metaverse Development Services is a layer added to the Internet with the goal of providing transparent connectivity to any device. But it doesn’t seem like developers are heeding the advice of their decades-old predecessors and designing for security and privacy. Every effort must be made to prevent the Metaverse from becoming a rogue and dangerous space infested with criminals. Developers should incorporate technical and social safeguards from the beginning. Without such safeguards, the Metaverse could become an even more dangerous space than the current Internet : the Metaverse .