The boom in the global fintech industry, has ushered in an era of scammers, armed with high-end tech tools to dupe you out of your hard-earned money. One such advanced scamming technique, especially targeted at the crypto community, is called ‘ice phishing'. In its latest advisory report to the global Web3 sector, cyber research firm CertiK has sounded an alert against the rising cases of ice phishing scams while also outlining preventative measures to keep finances safeguarded.
Ice phishing scams are cyber-attacks that manoeuvre Web3 users into manually signing and approving permissions that allow notorious actors to spend their tokens.
These permissions usually have to be signed on decentralised finance (DeFi) protocols, that could easily be mock-ups.
“The hacker just needs to make a user believe that the malicious address that they are granting approval to is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained,” CertiK wrote in its report.
Once the scammers get this permission, they can transfer the funds from the victim's accounts into any other wallet address.
This is not quite the case in traditional phishing scams, where hackers manage to steal private keys or passwords by luring in unsuspecting people into clicking on malicious links or having them visit infected fake websites.
As a security-focussed suggestion, CertiK has asked Web3 investors to steer clear against granting permissions to unknown addresses, especially while browsing blockchain explorer sites like Etherscan.
People have been advised to look up for suspicious addresses asking for random permissions on blockchain explorer sites.
The concept of ice phishing was first highlighted by Microsoft in a blog post published in February this year.
“Web3 is the decentralised world that is built on top of cryptographic security that lays the foundation of the blockchain. Now, imagine if an attacker can – single-handedly – grab a big chunk [of market funds] and do so with almost complete anonymity. This changes the dynamics of the game,” the software giant had said at the time.
Earlier last week, 14 NFTs of the expensive and famous Bored Apes Yacht Club (BAYC) collection, were stolen in an ice-phishing attack. The scam unfolded after an investor was duped into signing a transaction request, that looked like a contract to feature these NFTs in a film. Once the scammer bagged the permission, the NFTs were purchased by the actor for a next-to-nothing amount, Cointelegraph had revealed in a report.
“Many ice phishing scams can be found on social media such as Twitter, where fake profiles are disguising themselves as legitimate projects and promoting fake airdrops as an example. The easiest way to prevent yourself from becoming a victim of ice phishing is by going to trusted sites such as Coinmarketcap.com, coingecko.com, and certik.com to verify official sites,” the CertiK report noted.
Affiliate links may be automatically generated - see our ethics statement for details.