Will Cyber Threats Break Loose In The Metaverse?


Cybersecurity might become more complicated with a new wave of technological innovation in the vicinity.

Organised cybercrime is a billion-dollar industry, and it has got a new territory to exploit –the metaverse. Here augmented reality (AR), virtual reality (VR), Internet of Things (IoT), and cryptocurrencies merge for the online-offline alignment. It opens new doors for threat actors to target businesses say data and cybersecurity experts.

“Yes, there is a possibility of cyberattacks increasing. In fact, data security would be a key concern and will need some fundamental regulations to protect user information, as it will reflect the physical reality very closely,” said Anushree Verma, Director Analyst at Gartner.

The fact that the metaverse is fundamentally built on blockchain technology is a significant factor. Being decentralised, no admin or moderator can take responsibility for security and control. Although the technology is secure, it is not immune to vulnerabilities. Phishing attacks will increase, NFT scams will forage security leaders every so often, malicious smart contracts, malware and data breaches through AR/VR devices, and cryptocurrency scams. Ransomware is already a substantial concern. The FBI is tracking over 100 ransomware attacks, and the numbers will only increase with the rise of metaverse and Web 3.0.

The only thing worse is the possibility of new and mutated forms of cyberattacks for which organisations might not be prepared.

“While we cannot know exactly what the security implications of the metaverse platforms will be, we can expect the next phase to involve protecting virtual assets such as virtual currency and continuing to maintain virtual identity ownership from a security perspective,” said Anna Chung, Principal Researcher – Unit 42, Palo Alto Networks.

“The metaverse is a platform for both opportunity and challenge, allowing many to commit fraud and scam others. For instance, an attacker can manipulate the environment allowing the metaverse to play to our senses directly,” Chung added.

Although a constant cat and mouse chase, the metaverse is still in its developmental stage. Organisations have the upper hand to optimise their security strategies, enhance risk assessment, and begin working on a cybersecurity evolution.

The course of action across stages

Verma stated that the metaverse would evolve in three overlapping phases – emerging, advanced and mature. While the emerging metaverse inspired by Web3.0 app-based market and technologies starts now and is expected to continue for years, the advanced metaverse is estimated to approach in 2025. Each phase will be defined by distinctive influences across technology, market, and product/service characteristics. It will result in the existence of a variety of security challenges.

“The current metaverse market is not interoperable, yet. Current use cases are siloed experiences. This walled-garden approach gives vendors complete control of their users’ experiences. In this current state, governance and ethics are largely transparent and currently enforced by vendors. Ones addressing new and emerging use cases are lacking and expected to arise only when there is a severe and high-profile breach of privacy and/or security, usually where there are tangible business implications and user impact,” she said.

On the other hand, the mature metaverse is expected to lean towards interoperable and immersive experiences. It might be inspired by consortia promoting interoperability. “This interim step toward the mature metaverse will also see the most market hurdles. For example, experimentation and exploration of ‘greenfield’ opportunities are likely to result in breaches of user rights in privacy and security,” said Verma.

The data dilemma

The evolution of the virtual ecosystem will lead to government and regulatory intervention and restrictions to correct those market imbalances. The need for user-centric guidelines for ethics and governance covering different aspects of the metaverse is imperative.

According to data privacy expert Debbie Reynolds, devices connected to the metaverse will be cross-referencing information about individuals, causing a splurge in data. The overwhelming amount of accumulating data will create a whole new level of privacy concern.

“I think the metaverse and how people will be connecting with devices, and the data it collects will force organisations to rethink security in a way that they haven’t before,” said Reynolds.

Currently, there are no laws that govern data in the metaverse. It will take the collective strength of the government and security organisations to establish rules and regulations that can minimise cyber risk.

Developing a plan of action

“We will also see risks surrounding identity theft, payment fraud, and online safety. While the metaverse will empower virtual identities, allowing individuals to achieve many tasks that were once limited to the traditional physical world, it will put more pressure on account securities and the authentication process,” reflected Chung.

As the metaverse will function through digital avatars, there is no convenient method to identify the threat actors. Measurable security awareness is crucial, and organisations must harness a preventative mindset to avoid last-minute security patching.

IBM’s cybersecurity intelligence index report reveals that human errors cause 95 per cent of security breaches. “Security and control are increased by decentralisation and the fact that ledgers are immutable. This leads to fewer chances of errors or fraud. Smart contracts can also increase an individual’s control of data, enabling extremely high degrees of personalisation and user choice,” added Verma.

Avanan researchers had reported a fake DHL spoofing campaign that fooled customers to provide personal details under the pretence of undelivered packages. Such cyber-attacks are prone to increase as more people and brands enter the virtual space for more than just advertising. Cybercriminals who use sophisticated phishing programmes will become even more aggressive by using modified social engineering techniques.

“There is an inherent social engineering advantage with the novelty of any new technology,” said Charlie Bell, leader of a new cybersecurity engineering team at the Redmond-based tech giant. “In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face, like an avatar who impersonates your co-worker, instead of a misleading domain name or email address. These threats could be deal-breakers for enterprises if we don’t act now.”

Investing in cybersecurity would be a key requirement to avoid deep fakes, hacked avatars, data breaches, and cyberattacks, according to Verma. “For mature metaverse, self-sovereign identity management with granular privacy and data capture and protection hierarchies will need to be developed.”

Experts believe secure coding and security best practices must be the first line of defence during the development phase. “While we cannot know exactly how the security implications of the metaverse platforms will be, we can expect the next phase to involve protecting virtual assets such as virtual currency and continuing to maintain virtual identity ownership from a security perspective,” said Chung.

To best prepare, Palo Alto Networks advises organisations not just to strengthen their defences but make it difficult for threat actors to breach their systems. It is also essential to be mindful of copycats who use successful attacks as blueprints to carry out new attacks.

We remember the horrid security breaches in the 1990s that came with the emergence of eCommerce. Through the years, dangerous cyberattacks have become more complex, and it’s high time we learn from the early Wild West days of the internet as we brace ourselves for the metaverse era.

If you liked reading this, you might like our other stories

Get Ready For Metaverse
Metaverse in the Making