Microsoft has warned of new threats to blockchain and Web3 security, including so-called “ice phishing”.
According to the Microsoft 365 Defender Research Team, phishing has already “paved the way” for blockchain, custodial wallets, and smart contracts. According to them, phishing attacks on Web3 and the blockchain can take many forms. For example, with its help, attackers can try to get private encryption keys to wallets with digital assets.
While email phishing does occur, the technique is extremely common on social media. For example, scammers can send users private messages supposedly from a cryptocurrency service asking for help. Under the guise of a support team, they coax the victims so they provide their keys.
Another way is to airdrop tokens on social media, and when users try to access their new assets, redirect them to malicious domains that either try to steal credentials or execute cryptojacking malware on the victim’s system.
Finally, scammers can use typesquatting – register domains that are similar in spelling to legitimate cryptocurrency services, but differ by one or two characters (for example, cryptocurency.com instead of cryptocurrency.com) and steal wallet keys.
Ice phishing is different in that it completely ignores private encryption keys. This method is to force the victim to sign a transaction that approves the transfer of their tokens to the criminals.
Such transactions can be used in DeFi and smart contract environments, for example, to allow a token swap (a process in which one cryptocurrency is exchanged for another at a predetermined rate).
One notable example of ice phishing is last year’s hack on the DeFi platform Badger. The attackers managed to compromise the frontend and gain access to the Cloudflare API key. They then injected (and removed) a malicious script from the Badger smart contract.
The scammers selected users with large balances and asked them to sign fraudulent approval transactions. The malicious script intercepted Web3 transactions and prompted users to allow the use of an external address to work with ERC-20 tokens in their wallets.
After approval from the account of receipt of money, 8 ethers were transferred to the attackers’ account to launch a series of transferFrom calls of the approved user tokens. Thus, the scammers managed to transfer $121 million on behalf of the victims to their own accounts.
Web3 is a concept for a new iteration of the blockchain-based internet that incorporates the ideas of decentralization and a token-based economy. Some contrast it with Web 2.0, where they believe data and content is centralized within a small group of companies. The term was coined in 2014 by Ethereum co-founder Gavin Wood, and in 2021, cryptocurrency enthusiasts, large technology companies and venture capital firms became interested in the idea.
Custodial wallets are analogues of bank instruments. Their distinguishing feature is that the user does not have full control over his funds, since the operator (custodian) has access to the private key.
Recall that phishing can also be “hotter”, for example, we wrote that Hackers attack e-banking users by phishing QR codes, and also, for example, that Ukrainian cyberpolice neutralized one of the world’s largest phishing services.
