Ice phishing is a form of scam that exists only in Web3 and is a growing threat to the crypto industry, according to Certik.
Blockchain security firm Certik has reminded the crypto space to remain on high alert over ‘ice phishing’ scams – a new form of phishing scam that targets Web3 users – first identified by Microsoft earlier in 2022.
In a December 20 analysis report, Certik described ice phishing scams as a form of attack that tricks Web3 users into signing permissions that end up letting a scammer spend their tokens.
It differs from the traditional phishing attacks which try to access confidential information including passwords and private keys, such as the phony websites set up which alleged to help FTX investors recover funds lost on the crypto exchange.
https://twitter.com/CertiKAlert/status/1605297043085447186
A December 17 scam where 14 Bored Apes were stolen is a great example of an elaborate ice phishing scam. One investor was convinced to sign a transaction request disguised as a film contract, which eventually enabled the scammer to sell all of the user’s apes to themselves for a negligible amount.
The company noted that this kind of scam was a considerable threat that was dominating the Web3 world, as investors are mostly needed to sign permissions to decentralized finance (DeFi) protocols that they interact with, which might easily get faked:
“The hacker just needs to make a user believe that the malicious address that they are granting approval to is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained.”
Once a scammer gains approval, they can transfer assets to an address of their choice.
To protect themselves from ice phishing, Certik recommended that investors should revoke permissions for addresses they do not recognize on blockchain explorer sites like Etherscan, using a token approval tool.
Moreover, addresses that users want to interact with need to be looked up on these blockchain explorers for any suspicious activity. In its analysis, Certik points to an address that was funded by Tornado Cash withdrawals as an example of suspicious activity.
Certik also indicated that users need to only interact with official sites that they can verify, and to be specifically wary of social media sites like Twitter, highlighting a fake Optimism Twitter account as an example.
The company also advised users to take several minutes to check a trusted sites like Coingecko and CoinMarketCap, users would have managed to see that the linked URL was not a legitimate site and needs to be avoided.
Tech giant Microsoft was the first one that highlighted this practice in a February 16 blog post, saying at the time that while credential phishing is quite predominant in the Web2 space, ice phishing gives individual scammers the ability to steal lots of the crypto sector while maintaining “almost complete anonymity.”
They recommended that Web3 projects and wallet providers increase the security of their services on the software level to prevent the burden of avoiding ice phishing attacks being placed mainly on the end-user.
