Ice Phishing Attack: A New Way to Steal Your Cryptos
In the internet world, hackers and spammers continuously discover new methods to steal and hack.
Furthermore, there is nothing preventing them from innovating new techniques to jeopardize the flourishing crypto industry.
Hacking and spamming are not unfamiliar to the crypto world. Several major attacks on crypto firms have already resulted in significant financial losses. Moreover, numerous methods exist for stealing crypto funds from individuals. The latest addition to this list is the Ice Phishing Attack.
What Is an Ice Phishing Attack?
Ice Phishing Attack refers to a phishing attack that aims to steal crypto funds.
Phishing attacks are simple and effective techniques used by attackers. In these attacks, attackers trick the victim into taking certain actions by creating fraudulent websites, emails, or utilizing various other methods.
In the context of the crypto world, ice phishing attacks specifically target Web3 users. The attackers imitate smart contracts that resemble legitimate ones from a reputable Web3 platform. Their objective is to sign a transaction that delegates the approval of user tokens to the attacker.
In this attack, the attacker’s intention is only to sign the transaction, not to gain full wallet access by exposing the private key.
How Does an Ice Phishing Attack Work?
An Ice Phishing attack is executed by targeting Web3 users. When interacting with a Web3 platform. For example, if you want to interact with any web3 platform, you have to make the initial transaction that grants some necessary permission to the platform, like spending your wallet tokens.
The attacker misuses the permission to deplete your wallet.
The first step is to trick you to approve the malicious contract that requests permission to spend tokens from your wallet. Attackers often pretend to be a customer service representative for crypto projects or services, reaching out to you for assistance through project channels, community Discord servers, or Twitter threads. They will then aim to entice you into signing a transaction that delegates approval for your crypto assets.
The next step is to drain your wallet by initiating a transfer to an address of the attacker’s choice. The important thing here is that the recipient address is not always the wallet that has ice-phished you; it’s the wallet that initiated the transaction. The attackers often send funds to a second EOA (Externally Owned Account) that they control.
How to Protect From Ice Phishing?
Ensure Permission Before Initiating Transactions.
Before interacting with any smart contract via Metamask or any other wallet, carefully review the transaction details and ensure it’s going to initiate the operations you expect.
Verify Smart Contract Authenticity.
No matter what you have shown by the app’s smart contract in the front end to interact, make sure to check its authenticity.
To check the legit contract, check the contract address that appears in the transaction to be signed before it is submitted.
Legit smart contracts get audited, so you can use websites like defiyield to assess the smart contract.
Consider Smart Contract Upgradability and Security Features.
You have to consider the fact that the smart contract is upgradeable, and the project can deploy fixes. You can use Etherscan to gather this information. Additionally, check if the smart contract has incident response or emergency capabilities, such as pause/unpause, and assess its security characteristics after deployment.
Review The Platform.
The simplest thing you can do is conduct a thorough review of the defi platform by verifying the authenticity of the website and assessing its current performance through tracking websites like CoinMarketCap or CoinGecko.
Use Multiple Wallets.
It is recommended to use multiple wallet accounts to manage and interact with web apps. Periodically review and revoke token allowances. The website https://etherscan.io/tokenapprovalchecker can assist you in easily performing this task.
Utilize Cold Storage, Hardware Wallets, or NFTs for Crypto Asset Storage.
If you’re not actively involved in day trading, storing your crypto assets in an online wallet may pose security risks and leave you vulnerable to various exploits.
Instead, you can segregate your crypto assets and keep long-term holdings like more valuable NFTs in cold storage and funds for transactions and more active DApps in a different hot wallet.
Double Check Support or Customer Assistance.
Make sure it is the legit support team of the particular project contacting you from any social media or discord.
If you have any doubts, contact the support team from the official website and check the account is verified on social media platforms.
Real-Life Ice Phishing Incident.
Badger DAO Attack.
Badger is a DeFi protocol that allows rant interest on Bitcoin deposits. The protocol was launched on the Ethereum mainnet in 2020.
Badger uses a variety of yield farming methods to earn more yield.
In 2021 Badger smart contract front-end infrastructure gets compromised. Specifically, a portion of the Cloudflare API key was exploited, allowing the attacker to inject malicious scripts into the smart contract front end.
The injected script prompted users to sign transactions granting ERC-20 approvals to the attacker’s account.
Initially, the script injection is inconsistent, only targeting the high-value and certain balance wallets.
Then the first transfer of funds On November 21, 2021. On December 2, 2021, actual funds were drained from victims’ accounts. This draining of funds continued until 10:35:37 AM that day. Badger paused contracts (where possible) starting at 03:14:00 AM, causing some of the attacker’s transactions to fail.
The attack estimated that the exploiters had managed to siphon $121m from 200 accounts.
Bored Apes Scam.
In December 2022, scammers used Ice Phishing to steal 14 Bored Ape Yacht Club (BAYC) non-fungible tokens (NFTs) through a month-long social engineering scam.
The scammers posed as a casting director working for “Forte Pictures” on an NFT-related film titled “The Return of Time.” Although Forte Pictures is a real company, they were not involved in the scam.
Using a fake website, fabricated pitches, fraudulent legal contracts, and other elaborate deception methods, including Twitter Spaces, the scammers built credibility. They made a bid for the NFTs and directed the victims to a fake NFT platform where they were instructed to “sign the contract.” It was during this process that the wallet drain occurred.
Conclusion.
Hacking Spamming is common in the crypto world, attackers always find innovative ways to steal your cryptos, and in those ways, the newly added one is Ice Phishing Attack.
While Ice Phishing may not be a fatal attack in itself, it can have severe consequences if proper prevention measures are not followed. It is crucial to adhere to recommended preventive measures to safeguard your crypto assets.