In the Web3 world, phishing attempts come in many forms. As the technology is still evolving, new types of attacks may emerge. Some attacks are specific to Web3, such as ice phishing, while others resemble credential phishing attacks more common on Web2.
Before we understand what an ice phishing attack is and how it works, let’s first understand how transactions are signed on a blockchain and what is token authorization.
transaction signature
You can connect to decentralized applications using wallets such as meta mask Malicious users are trying to take advantage of the fact that users must sign transactions using Metamask to perform these acts.
A Metamask popup will appear asking the user to confirm or cancel the transaction when the app needs to perform on-chain operations. See image below.
In the example above, you can see that MetaMask is asking for confirmation when exchanging ETH for UNI tokens. As soon as we confirm it, the transaction will be completed. As a result, it can be more difficult to understand what activities are allowed in some transactions. Especially if you allow a series of actions rather than a single immediate action. Attackers are looking to exploit this lack of clarity when doing ice phishing.
token allowance
A transaction in which a token owner authorizes a token user to spend a token amount on behalf of the token owner. Holders can provide token allowances for non-fungible tokens and fungible tokens. An owner is an account that owns tokens and gives allowances to spenders.
What is ice fishing
Simply put, ice phishing tricks users into signing malicious transactions to give the attacker control over their crypto assets.
“Ice phishing” techniques do not steal someone else’s private key. Instead, you should try to trick the user into authorizing a transaction that grants the attacker control of the user’s token.
Endorsements are a frequent type of transaction that allow users to interact with DeFi protocols. This makes ice phishing a major threat to his Web3 investors, as permission must be given to interact with DeFi protocols.
How do attacks work?
An attacker carries out this attack in two steps:
1. Trick the victim into signing an authorization transaction:
Attackers create deceptive websites masquerading as DEXs, such as SushiSwap, and help pages for cryptocurrency products.
Attackers typically send these malicious links to promotional giveaways, “proprietary” NFT mints, phishing emails, tweets, Discord, etc. to create a false sense of urgency and spread FOMO (Fear Among Users). ). See example below.
Scammers are successful if they can trick users into connecting their wallets to malicious websites and trick them into signing authorization to use their assets.
2. Steal tokens from user wallets:
As soon as the user approves the token to the malicious attacker’s address. The attacker calls her transferFrom function to transfer all tokens to her wallet. Frauds usually involve at least two of her wallets. First, the user-approved ice phishing wallet, then the recipient wallet to which the attacker transferred the token.
Badger DAO Case Study
Badger is a DeFi protocol that allows you to earn interest on your deposits. On December 2, 2021, BadgerDAO was hit by an ice phishing attack. Badger’s Cloudflare API key was compromised, allowing attackers to take over front-end infrastructure.
In this way, an attacker could inject malicious scripts into the front end. Now, the user tried to connect to BadgerDAO, thinking that they were earning money by depositing tokens. Yet the actual transaction they signed gave the attacker full access to their assets.
Attackers stole millions of dollars from victims’ accounts and specifically targeted individuals with high balances. They changed scripts throughout the day to avoid detection. BadgerDAO eventually recognized the attack and smartly suspended her contract, but the attacker had already stolen about $121 million from 200 accounts.
how to protect yourself
Do not click suspicious links. To avoid phishing URLs and domain squatters, only use verified URLs to access dApps and services. When in doubt, project URLs are usually available on verified Twitter accounts.
Verify transactions before signing. It is imperative to read the transaction details before signing with Metamask or any other wallet to ensure the intended action is taken.
Manage your crypto assets through multiple wallets. Diversify your cryptocurrency holdings, store long-term investments and valuable NFTs in cold storage like hardware wallets, and keep funds for regular transactions and more active dApps in separate hot wallets .
Regularly review and cancel benefits: Especially in NFT marketplaces, it’s always a good idea to periodically review and revoke permissions whenever you’re not actively using your dapp. This minimizes the chances of losing money through exploits and attacks and reduces the impact of phishing scams.can be used Revoke.cash Also Etherscan token authorization checker for it.
Stay up to date on scams to avoid them. Beware of scams and report any unusual behavior. Reporting fraud helps security professionals and law enforcement catch scammers before they do too much harm.
Conclusion
Ice phishing attacks and other cryptocurrency scams are likely to become more prevalent as the cryptocurrency market continues to rise. Caution and education are the best security measures. Users should be aware of how these scams operate and take appropriate precautions to keep themselves safe. Take a moment to ensure that the URLs you’re interacting with are verified both on-chain and with trusted sources.
Frequently Asked Questions
What should I do if I suspect ice fishing?
Review and revoke authorization for addresses that may have compromised your wallet. https://etherscan.io/token approval checkerAlso transfer all funds to other wallets.
How can I protect myself from ice fishing?
To protect yourself from ice phishing attacks, you should be on the lookout for unsolicited emails, messages, and phone calls, even those that appear to be from trusted sources. Validate transactions before signing.
How do I revoke an address approval?
can be used Revoke.cash Also Etherscan token authorization checker To remove authorization for an address.
8 view
