The boom in the global fintech industry has ushered in an era of scammers armed with high-end tech tools to cheat you out of your hard-earned cash. One of these advanced scam techniques, specifically targeting the crypto community, is known as “ice phishing”. In its latest advisory report for the global Web3 sector, cyber research firm CertiK has warned of the rising cases of ice phishing scams while outlining preventative measures to protect finances.
Ice phishing scams are cyber attacks this maneuver Web3 user into manually signing and approving credentials that allow notorious actors to issue their tokens.
These permits usually have to be signed on DeFi (Decentralized Finance) protocols, which could easily be knockoffs.
“That hacker just needs to trick a user into believing that the malicious address they are giving permission to is legitimate. Once a user has given the scammer permission to issue tokens, there is a risk that the assets will be siphoned off.” CertiK wrote in his report.
Once the scammers get this permission, they can then transfer the funds from the victim’s accounts to other accounts wallet address.
This is not entirely the case in traditional phishing scamwhere hackers manage to steal private keys or passwords by tricking unsuspecting people into clicking on malicious links or tricking them into visiting infected bogus websites.
As a security-focused proposition, CertiK has asked Web3 investors to stay away from granting permissions to unknown addresses, especially when browsing blockchain explorer sites like Etherscan.
People have been advised to look for suspicious addresses asking for random permissions on blockchain explorer sites.
2/ The scam starts when a victim is tricked into approving the ice phishing address.
Scammer’s address will be shown to you when you interact with malicious url or dapp
Below is an example of this type of transaction :point_down: pic.twitter.com/rwXt2t2DD6
— CertiK Alert (@CertiKAlert) December 20, 2022
The concept of ice phishing was first highlighted by Microsoft in a blog entry published in February of this year.
“Web3 is the decentralized world built on top of the cryptographic security that is the foundation of the Blockchain. Now imagine that an attacker could – single-handedly – grab a large chunk [of market funds] and this with almost complete anonymity. It changes the dynamics of the game,” the software giant said at the time.
Last week 14 NFTs the expensive and famous Bored Apes Yacht Club (BAYC) collection., were stolen in an ice phishing attack. The scam unfolded after an investor was tricked into signing what appeared to be a transaction request to have these NFTs featured in a movie. After the scammer bagged the permit, the NFTs were bought by the actor for next to nothing. coin telegraph had revealed in a report.
5/ Victims may notice that funds are being sent to an unknown address, but it is the EOA that initiated the transaction that compromised your wallet
Check your permissions for addresses that may have compromised your wallet
— CertiK Alert (@CertiKAlert) December 20, 2022
“Many ice phishing scams can be found on social media, such as Twitter, where fake profiles masquerade as legitimate projects and promote fake airdrops as an example. The easiest way to avoid becoming a victim of ice phishing is to visit trusted sites like Coinmarketcap.com, coingecko.com, and certik.com to verify official websites,” the CertiK report reads .
