Security Experts:

Connect with us

Hi, what are you looking for?



Virtual Insanity: Protecting the Immersive Online World

As a result of the intersection of humans and technology, many social engineering attacks aimed at exploiting unsophisticated users are also likely to occur.

As a result of the intersection of humans and technology, many social engineering attacks aimed at exploiting unsophisticated users will occur

The concept of a virtual world in which people live, work, and interact with others without leaving their living room in the physical world gained more momentum during the pandemic. In fact, Gartner predicts that by 2026, a quarter of the population will spend a minimum of an hour each day in some type of immersive virtual environment for work, shopping, education, social media and/or entertainment.

Cities are among the first to enter this new iteration of the internet powered by virtual reality (VR), augmented reality (AR) and mixed reality (MR) technology. These virtual cities—Dubai being the first—promise to replicate real-life experiences and places. Individuals create avatars that can then work, shop, play and more in a virtual space. While these new virtual spaces will provide untold opportunities, they also set the stage for an unparalleled rise in cybercrime.

An expanded attack surface

Companies ranging from Microsoft to Meta to Nike and Walmart are spending on investments in this next evolution of the internet. For instance, digital goods are being launched by retailers for sale in these virtual environments. Designer Ralph Lauren debuted a unique digital apparel line on the online gaming site Roblox toward the end of last year. All these activities extend the attack surface, which creates new opportunities for the criminally minded. Virtual worlds could enable new ways for them to get into networks.

The creation of new security risks

Users should exercise caution when interacting with new virtual environments for several reasons. First, because virtual platforms are new, they’re likely to draw many malicious actors eager to take advantage of new opportunities. As a result of the intersection of humans and technology, many social engineering attacks aimed at exploiting unsophisticated users are also likely to occur.

A person taking part in an online world is a prime target for attackers because their avatar basically serves as the entry point to their personally identifiable information (PII). Cryptocurrency exchanges, NFTs, digital wallets and any other currencies used in purchases give cybercriminals still another attack surface, because people can buy products and services in virtual cities. These virtual assets and items are likewise susceptible to theft and resale.

Due to the AR and VR-driven elements of virtual cities, biometric hacking may also become feasible. That would make it simpler for attackers to obtain things like face recognition data, retina scans and fingerprints for their own gain.

In these new interactive worlds, people can interact not only with one another but also with objects, some of which are very complicated and have their own distinct procedures and code. Security threats or weaknesses can be brought on by complexity; there is significant potential for exploitation as a result. What does security look like in such a setting, and where does it go? And how does it function in a highly scalable environment where vast quantities of data are being streamed and millions of people are interacting with it?

Defending the expanded virtual attack surface

The good news is these new security challenges aren’t insurmountable. While the experiences may be new, we do have a solid framework to look at when it comes to understanding the attack lifecycle: the MITRE ATT&CK framework. To proactively prepare for attacks better, it will be more vital than ever to look both inside and outside the organization for hints about possible attack strategies.

Some of the solutions/technologies to consider, if you haven’t already adopted them, are:

Endpoint detection and response (EDR): With sophisticated EDR, it is possible to have real-time analysis, protection and remediation – regardless of whether users are working remotely, learning remotely or engaging in immersive experiences remotely.

Zero trust and zero trust network access (ZTNA): As threats have increased, there has been greater focus on the zero trust and ZTNA, which are based on the idea that nobody and nothing can be trusted implicitly. These technologies will be key in securing the new virtual worlds.

Network segmentation: This approach enhances cybersecurity by keeping attacks from propagating throughout a network and entering vulnerable devices. Segmentation also prevents malware from spreading into your other systems if an attack occurs.

An integrated, comprehensive, and automated cybersecurity platform: This is the most significant step you can take to improve your enterprise’s security posture. As the threat landscape becomes larger and more complex, a collection of point solutions is simply ineffective. Instead, they must be consolidated and integrated into a single cybersecurity platform. Wherever access to virtual worlds is taking place, integration and consolidation can help detect and limit the spread of threats.

AI and machine learning (ML): AI and ML are key components for a more automated and intelligent cyber defense. AI helps organizations discover and mitigate the tsunami of cyber events that they can come across daily, including those coming from virtual worlds. It’s also a smart move to use an inline sandbox service to protect against wiper malware and sophisticated ransomware threats. If integrated with a cybersecurity platform, a service like this can guarantee that only safe files will be transmitted to endpoints, enabling real-time protection against changing assaults.

Securing the future

Apparently, reality isn’t enough for bad actors. As new and immersive online experiences emerge, they’re expanding the attack surface and creating more opportunities for cybercrime. Virtual cities and online worlds are breeding grounds for new and sophisticated attack types. As cybercrime and advanced persistent threat approaches merge, bad actors are figuring out ways to weaponize emerging technologies at scale to facilitate greater disruption and destruction. By exercising caution, re-assessing your security posture based on the above criteria and integrating and consolidating your solutions, you’ll ensure you are well-equipped to withstand whatever comes next.

Related: Securing the Metaverse and Web3

Written By

Derek Manky is Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.