June 3rd, 2022
The worldwide evolution of blockchain has happened rapidly. In the business world, blockchain is witnessing expanded adoption due to its efficiency in digital identity verification, and the safe transfer of both data and funds through smart contracts.
Smart contracts have enterprise applications within the food services, economic, healthcare, administration, and manufacturing industries, among others. While smart contracts are routinely audited by blockchain security firms like Halborn, they are also sensitive to phishing attacks.
Cryptocurrency and blockchain enthusiasts usually say cryptocurrency is a safer option than other digital payment modes. While the blockchain does have numerous cybersecurity benefits, it isn’t unsusceptible to scams and it certainly isn’t unhackable. The rise of new threats like ice phishing emphasizes these vulnerabilities.
Before knowing what exactly an ice phishing attack is and how it works, it is important to first understand some necessary background information on Web3.
As mentioned earlier, to better understand ice phishing, a quick primer on blockchain, non-custodial wallets, smart contracts, and ERC-20 tokens is required. Let’s dissect these key Web3 terms one by one.
There are two kinds of wallets – custodial wallets and non-custodial wallets. The custodial are wallets linked with cryptocurrency exchanges, whereas the non-custodial is a wallet that resides on a user’s device. The major dissimilarity between the two is who has access to and handles the cryptographic keys to sign transactions. Non-custodial wallets give the owner credentials to the cryptographic keys, whereas custodial wallets do not.
Web2 means the arrangement of the internet most of us use today. The internet is monopolized by companies that give services in exchange for Personally identifiable information (PII).
Web3, on the other hand, means decentralized apps that operate on the blockchain. These are apps that permit users to partake without giving their Personally identifiable information (PII).
So, what the hell is an “Ice Phishing” attack and how does it work? Let’s now take a deeper look.
Microsoft recently published a report describing security dangers to Web3 technologies, including ice phishing. In an ice phishing attack, attackers push to dupe victims into giving away permission for their tokens. They accomplish this by utilizing smart contracts to obscure their purposes.
In other words, ice phishing is a process that doesn’t include swiping private keys. Instead, it influences a user into signing a transaction that gives the attacker permission over the user’s tokens. With an ice phishing attack, the attacker only needs to modify the spender’s address to the attacker’s address. This is familiar in wire transfers and PayPal frauds as others are deceived into acknowledging it is transmitted from their companion or loved one.
One of the most practical techniques of ice phishing employs cleverly devised images. These images utilize a combination of strategies to deceive users into clicking buttons and conducting financial transactions.
The “ice phishing” attack was a success because hackers collected permissions over some time, then immediately emptied the victim’s wallets.
Web2 credential hacks are extremely similar to Web3 cryptographic key exposure. Attackers can trick users (by phishing) of Web3 to reveal the cryptographic keys. Revealing those keys to an illegal partaker can give the attacker the power to transfer the user’s funds without his permission. The attackers can phish the exact route via phishing emails, but this trick is not optimal because some email service providers like Gmail display a warning when users click a link to untrusted domains in any email notification. If this feature isn’t on, warnings only emerge for clicks to untrusted domains from dubious emails.
People may think that if the Blockchain and Web3 are in such safe conditions, how are phishing attacks still wreaking mayhem in the crypto world? The response is: through social engineering.
Attackers are just as intelligent as they are unethical. As revealed by Microsoft, the perpetrators are obtaining a malicious smart contract signed by susceptible users that would redirect tokens from non-custodial wallets to an attacker-managed address.
Due to the absence of clarity on the transactional interface in Web3, it is quite complex to catch or follow the removal of tokens. Sounds typical? Phishing emails mailed by hackers to fool businesses make use of identical tactics.
Some of the more common social engineering tricks hackers are using include:
Ice phishing is a type of phishing that fools the user into signing a transaction that entrusts the consent of the user’s tokens to the attacker. Microsoft’s Defender team put out these amazing graphics describing the attack:
Figure 1: Uniswap example flow
Figure 2 – Signature request.
In an ice phishing attack, the attacker simply needs to alter the sender address to the attacker’s address. This can be quite convincing as the user interface doesn’t deliver all relevant data that can show that the transaction has been meddled with.
It’s important to train employees in security awareness and phishing techniques.
Additional exercises and controls should be enforced to address high-risk employee concerns. Some of those controls contain more standard user access privileges, Multi-Factor Authentication (MFA), Privileged Access Management (PAM) if the user’s access is believed to be “high” or administrator-level, extra logging, and inspecting around such user accounts, and implementing stronger password policy.
Yet, most of those controls don’t do much to stop Web3 attacks on Web3 app front ends. Here are some recommendations end users could follow to secure themselves against threats like Ice Phishing:
The best security measures are attention and education. Never open attachments or links in unsolicited emails, even if the emails arrived from an identified source. Enterprises should enlighten and teach their employees to be mindful of any communication that solicits personal or financial data. They should also train employees to inform the firm’s security operations team instantly in case of a suspected attack. To find out how you can protect your company against ice phishing attacks, reach out to our blockchain security experts at email@example.com.