Crypto community members should be aware of the new "ice phishing" scams - a type of phishing scam targeting Web3 users that were first uncovered by Microsoft.
ICE phishing scams were described by CertiK in an analysis report released on Dec. 20 as attacks designed to trick Web3 users into allowing scammers to spend their tokens.
The fake website that claimed to help FTX investors recover their lost funds distinguished this from traditional phishing attacks, in which hackers attempt to gain access to confidential information such as private keys or passwords.
An elaborate ice phishing attack resulted in the theft of 14 Bored Apes on December 17. The scammers persuaded investors to sign fake film contracts that allowed them to purchase all of the users' Apes.
Web3 has a "considerable risk" of this type of scam occurring because investors are often required to sign permissions to decentralized finance protocols. CertiK wrote:
“The hacker just needs to make a user believe that the malicious address that they are granting approval to is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained.”
A scammer may transfer assets to any address of their choice once they have gained approval.
An example of how an ice phishing attack works on Etherscan. Source: Certik
Cryptocurrency explorers like Etherscan and token approval tools can help investors avoid ice phishing attacks.
Blockchain explorers should also be checked for suspicious activity related to addresses users plan to interact with. Tornado Cash withdrawals were used to fund one address highlighted by CertiK's analysis.
CertiK recommends users only interact with official sites they can verify, and be wary of social media sites like Twitter.
Fake Optimism Twitter account. Source: Certik
To ensure that a URL links to a legitimate site, users should check a trusted site such as CoinMarketCap or CoinGecko.
A February 2016 blog post published by Microsoft highlighted this practice for the first time, stating that while credential phishing is very prevalent in the Web2 world, ice phishing allows individual scammers to steal a portion of the crypto industry while maintaining “almost complete anonymity.”
As a result, they recommended that Web3 projects and wallet providers increase their software security, so that the burden of preventing ice phishing attacks does not fall solely on the end user.