Ice Phishing Scams:
According to the company, the scam known as “ice phishing” only occurs on Web3 and poses a “serious threat” to the cryptocurrency ecosystem.
The blockchain security firm CertiK has warned the cryptocurrency industry to be on the lookout for “ice phishing” scams, a special kind of phishing scam that preys on Web3 users initially discovered by Microsoft earlier this year.
In a report on an analysis released on December 20, CertiK identified ice phishing scams as an attempt to deceive Web3 users into signing permissions that ultimately allow a con artist to exploit their tokens.
This is distinct from conventional phishing assaults, which aim to obtain private keys or passwords, or the fraudulent websites created that represented themselves as being able to assist FTX investors in recovering the money they had lost on the exchange.
1/ Ice phishing is a considerable threat to the Web3 community
Instead of gaining accessing to your private key, scammers trick you into signing permissions to spend your assets.
We’ll outline below what to look out for, and how to protect yourself!
— CertiK Alert (@CertiKAlert) December 20, 2022
An intricate ice phishing scheme from December 17 involved the theft of 14 Bored Apes. The con artist persuaded an investor to sign a transaction request presented as a movie contract, which ultimately allowed them to purchase all of the user’s gorillas for a pittance.
Investors frequently need to sign an authorization to engage with decentralized finance (DeFi) protocols, which are easily faked, according to the firm, making this scam a “serious threat” unique to the Web3 environment.
Ice Phishing Attack On Etherscan:
The hacker must persuade the user that the malicious address they are permitted to access is actual. The assets risk being drained once a user has given the fraudster authorization to spend tokens.
Once a fraudster has received authorization, they can send money to whatever address they like.
An illustration of an ice phishing attack on Etherscan. Citation: Certik
Investors can use a token approval feature on blockchain explorer websites like Etherscan to withdraw authorization for addresses they don’t recognize to safeguard themselves against ice phishing.
Additionally, users should check these blockchain explorers for any suspicious behavior when planning to connect with addresses. In its study, CertiK cites an instance of dubious activity at an address funded by Tornado Cash withdrawals.
Additionally, CertiK advised consumers to only communicate with official websites that they can independently verify and to exercise extreme caution when using social media platforms like Twitter, citing a phoney Optimism Twitter account as an illustration.
Phoney optimism Twitter account. Citation: Certik
Users would have been able to detect that the linked URL was not a valid site and should have been avoided if they had taken the firm’s advice to take a few minutes to examine a reliable website like CoinMarketCap or Coingecko.
The tech behemoth Microsoft was the first to draw attention to this tactic in a blog post on February 16; at the time, it claimed that while credential phishing is prevalent in the Web2 world, ice phishing allows individual scammers to steal a portion of the crypto industry while maintaining “almost complete anonymity.”
To minimize the burden of preventing ice phishing attempts from falling entirely on the end-user, they advised Web3 projects and wallet providers to strengthen the software security of their services.