Ice phishing threatens blockchain | Pentest7

top cybersecurity companies

The blockchain, decentralized technologies, DeFi, smart contracts, the concept of a “metaverse” and Web3 – the decentralized foundation built on cryptographic systems that underlie blockchain projects – all have the potential to bring about radical changes in the way things are done how we understand and experience connectivity today.

However, with every technological innovation, new opportunities can also be created for cyber attackers, and Web3 is no exception.

The most common threats today include mass spam and phishing via email and social media platforms, social engineering, and exploitation of security vulnerabilities.

On February 16, the Microsoft 365 Defender Research Team found that phishing in particular has made its way onto the blockchain, depository wallets, and smart contracts — “reaffirming the persistence of these threats as well as the need to incorporate security fundamentals into related future systems and frameworks.” to build in.”

The cybersecurity researchers from Microsoft say phishing attacks focused on Web3 and the blockchain can take different forms.

One of the threats to watch out for is an attacker attempting to obtain the private cryptographic keys to access a digital asset wallet.

While email phishing attempts do happen, social media scams are common. For example, scammers can send direct messages to users publicly asking for help from a cryptocurrency service — and claiming the key under the pretense of being from a support team.

Another tactic is to launch fake airdrops for free tokens on social media websites. When users try to access their new assets, they are redirected to malicious domains that either try to steal credentials or run cryptojacking malware on the victim’s computer.

Additionally, cyber criminals are known to engage in typo-squatting to impersonate legitimate blockchain and cryptocurrency services. They register website domains with minor bugs or changes – like instead of – and set up phishing websites to steal keys directly.

Ice phishing is different and completely ignores private keys. This attack vector attempts to trick a victim into signing a transaction that authorizes a user’s tokens to pass to a criminal.

Such transactions can be used in DeFi environments and smart contracts, for example to enable a token exchange.

“Once the approval transaction is signed, submitted, and mined, the donor can access the funds,” Microsoft said. “In the case of an ice phishing attack, the attacker can collect permissions over an extended period of time and then quickly empty all of the victims’ wallets.”

The most famous example of ice phishing is last year’s BadgerDAO attack. Attackers managed to compromise the BadgerDAO frontend to gain access to a Cloudflare API key, after which malicious scripts were injected into and removed from the Badger smart contract.

Customers with high balances were singled out and asked to sign fraudulent transaction approvals. BadgerDAO said in a post-mortem of the phishing attack that “the script intercepted Web3 transactions and asked users to authorize a foreign address to work with ERC-20 tokens in their wallet.”

“After forging a series of permits, a funding account sent eight Ethereum Coins (ETH) to the attacker’s account to make a series of transferFrom calls for the users’ approved tokens,” according to BadgerDAO. “This allowed the attacker to move funds to other accounts on behalf of users, who then liquidated the funds and converted them to BTC via the Badger Bridge.”

About $121 million was stolen. An audit and recovery plan are underway. “The Badger DAO attack highlights the importance of tightening the security of Web3 while it is still in the early stages of development and deployment,” Microsoft said. “We recommend that software developers increase the security of Web3. Meanwhile, the end-users need to explicitly verify information through additional resources such as: B. the project documentation and external reputation/information websites.”

Leave a Reply

Your email address will not be published.