Ice Phishing Threat to the ERC-20 Tokens on the Blockchain

As mentioned earlier, to better understand ice phishing, a quick primer on blockchain, non-custodial wallets, smart contracts, and ERC-20 tokens is required. Let’s dissect these key Web3 terms one by one.

• Blockchain: The blockchain is a circulated ledger defended and secured by cryptographic algorithms. It can be considered as a database that displays transfers of cryptocurrencies from one account to another. Transactions a user executes on a blockchain may alter the ledger, for example, by transmitting cryptocurrencies from his account to another account.

• Non-custodial wallets: Wallets envision the cryptocurrencies in a user’s account. Contrary to popular belief, wallets actually do not carry cryptocurrencies. Cryptocurrencies are reserved on the circulated ledger, i.e. the blockchain. A wallet permits users to utilize its cryptographic keys to sign transactions to transfer the coins to another account. In other words, a user’s cryptographic keys give him credentials to his cryptocurrencies. If a user discloses that key to another party or individual, then his funds may be transferred without his permission. 

There are two kinds of wallets – custodial wallets and non-custodial wallets. The custodial are wallets linked with cryptocurrency exchanges, whereas the non-custodial is a wallet that resides on a user’s device. The major dissimilarity between the two is who has access to and handles the cryptographic keys to sign transactions. Non-custodial wallets give the owner credentials to the cryptographic keys, whereas custodial wallets do not.

• Smart contracts: Smart contracts are code implemented on the blockchain that can carry cryptocurrencies and execute transactions. Smart contracts only run when a standard account – also dubbed externally owned account (EOA) – or another smart contract starts its undertaking.

• ERC-20 tokens: ERC-20 tokens are unique kinds of cryptocurrency tokens that are executed through an ERC-20 smart contract, basically as a balance sheet with a collection of operations that authorize the transfer of these tokens from one account to another. Each ERC-20 token has its smart contract that executes the ERC-20 token standard. For instance, LINK is a token.

Web2 means the arrangement of the internet most of us use today. The internet is monopolized by companies that give services in exchange for Personally identifiable information (PII). 

Web3, on the other hand, means decentralized apps that operate on the blockchain. These are apps that permit users to partake without giving their Personally identifiable information (PII).

So, what the hell is an “Ice Phishing” attack and how does it work? Let’s now take a deeper look.

Microsoft recently published a report describing security dangers to Web3 technologies, including ice phishing. In an ice phishing attack, attackers push to dupe victims into giving away permission for their tokens. They accomplish this by utilizing smart contracts to obscure their purposes.

In other words, ice phishing is a process that doesn’t include swiping private keys. Instead, it influences a user into signing a transaction that gives the attacker permission over the user’s tokens. With an ice phishing attack, the attacker only needs to modify the spender’s address to the attacker’s address. This is familiar in wire transfers and PayPal frauds as others are deceived into acknowledging it is transmitted from their companion or loved one. 

One of the most practical techniques of ice phishing employs cleverly devised images. These images utilize a combination of strategies to deceive users into clicking buttons and conducting financial transactions.

The “ice phishing” attack was a success because hackers collected permissions over some time, then immediately emptied the victim’s wallets. 

Web2 credential hacks are extremely similar to Web3 cryptographic key exposure. Attackers can trick users (by phishing) of Web3 to reveal the cryptographic keys. Revealing those keys to an illegal partaker can give the attacker the power to transfer the user’s funds without his permission. The attackers can phish the exact route via phishing emails, but this trick is not optimal because some email service providers like Gmail display a warning when users click a link to untrusted domains in any email notification. If this feature isn’t on, warnings only emerge for clicks to untrusted domains from dubious emails.

People may think that if the Blockchain and Web3 are in such safe conditions, how are phishing attacks still wreaking mayhem in the crypto world? The response is: through social engineering. 

Attackers are just as intelligent as they are unethical. As revealed by Microsoft, the perpetrators are obtaining a malicious smart contract signed by susceptible users that would redirect tokens from non-custodial wallets to an attacker-managed address. 

Due to the absence of clarity on the transactional interface in Web3, it is quite complex to catch or follow the removal of tokens. Sounds typical? Phishing emails mailed by hackers to fool businesses make use of identical tactics. 

Some of the more common social engineering tricks hackers are using include:

• Scanning social media for users going out to wallet software companies for help and hopping in with direct messages impersonating the support team to swipe someone’s private key directly.

• Circulating new tokens for free to a group of accounts (i.e., “Airdrop” tokens), and then canceling transactions on those tokens with an error message to divert to a phishing website or a website that puts coin mining malware that robs the credentials of the user’s local machine.

• Typosquatting and copying legal smart contract front ends

• Copying wallet software and swiping private keys directly.

Ice phishing is a type of phishing that fools the user into signing a transaction that entrusts the consent of the user’s tokens to the attacker. Microsoft’s Defender team put out these amazing graphics describing the attack:

Figure 1: Uniswap example flow

Figure 2 – Signature request.

In an ice phishing attack, the attacker simply needs to alter the sender address to the attacker’s address. This can be quite convincing as the user interface doesn’t deliver all relevant data that can show that the transaction has been meddled with.

It’s important to train employees in security awareness and phishing techniques.

Additional exercises and controls should be enforced to address high-risk employee concerns. Some of those controls contain more standard user access privileges, Multi-Factor Authentication (MFA), Privileged Access Management (PAM) if the user’s access is believed to be “high” or administrator-level, extra logging, and inspecting around such user accounts, and implementing stronger password policy.

Yet, most of those controls don’t do much to stop Web3 attacks on Web3 app front ends. Here are some recommendations end users could follow to secure themselves against threats like Ice Phishing: 

• Check if the contract address is correct or not. Unfortunately, one can’t depend on the smart contract front-end to communicate with the right smart contract. The contract address that occurs in the transaction to be signed ought to be checked before the transaction is offered. This is a space where wallet providers can put a layer of security.

• Make sure the smart contract has been audited by a reputable blockchain cybersecurity firm (like Halborn). 

• Is the contract upgradeable (in other words, is it executed as a proxy practice) such that the project can implement patches when bugs are found? Etherscan’s contract tab displays whether a smart contract has been enforced as a proxy.

• Does the smart contract have incident response or crisis qualifications, like pause/ unpause? Under what circumstances are these started?

• What are the security features of the smart contract after implementation?

• Manage cryptocurrencies and tokens via a combination of wallets (instead of just having one) and/or occasionally scan and revoke token allowances. Etherscan’s Ethereum Token Approval checker makes doing this effortless.

The best security measures are attention and education. Never open attachments or links in unsolicited emails, even if the emails arrived from an identified source. Enterprises should enlighten and teach their employees to be mindful of any communication that solicits personal or financial data. They should also train employees to inform the firm’s security operations team instantly in case of a suspected attack. To find out how you can protect your company against ice phishing attacks, reach out to our blockchain security experts at halborn@protonmail.com.