Ice Phishing Scams: What Are They and How Can Web3 Users Stay Clear of These Cyber Attacks

In its latest advisory report to the global Web3 sector, cyber research firm CertiK has sounded an alert against the rising cases of ice phishing scams.

Written by Radhika Parashar, Edited by Siddharth Suvarna | Updated: 21 December 2022 14:06 IST

Ice Phishing Scams: What Are They and How Can Web3 Users Stay Clear of These Cyber Attacks

Photo Credit: Pexels/ Tima Miroshnichenko

Microsoft first highlighted the rise in ice-phishing scams in February this year

Highlights

Crypto community is under constant threat from scammers
Ice phishing scams trick users into signing-off their funds to be used
Traditional phishing scammers try and steal private keys to drain account

The boom in the global fintech industry, has ushered in an era of scammers, armed with high-end tech tools to dupe you out of your hard-earned money. One such advanced scamming technique, especially targeted at the crypto community, is called ‘ice phishing'. In its latest advisory report to the global Web3 sector, cyber research firm CertiK has sounded an alert against the rising cases of ice phishing scams while also outlining preventative measures to keep finances safeguarded.

Ice phishing scams are cyber-attacks that manoeuvre Web3 users into manually signing and approving permissions that allow notorious actors to spend their tokens.

These permissions usually have to be signed on decentralised finance (DeFi) protocols, that could easily be mock-ups.

Sam Bankman-Fried Signs Legal Papers Clearing Way for US Extradition

“The hacker just needs to make a user believe that the malicious address that they are granting approval to is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained,” CertiK wrote in its report.

Once the scammers get this permission, they can transfer the funds from the victim's accounts into any other wallet address.

This is not quite the case in traditional phishing scams, where hackers manage to steal private keys or passwords by luring in unsuspecting people into clicking on malicious links or having them visit infected fake websites.

Next Financial Crisis Will Come from Private Cryptocurrencies: RBI Governor

As a security-focussed suggestion, CertiK has asked Web3 investors to steer clear against granting permissions to unknown addresses, especially while browsing blockchain explorer sites like Etherscan.

People have been advised to look up for suspicious addresses asking for random permissions on blockchain explorer sites.

2/ The scam begins when a victim is tricked into approving the ice phishing address.

The scammers address will be presented to you when you are interacting with a malicious URL or Dapp

Below is an example of this type of transaction :point_down: pic.twitter.com/rwXt2t2DD6
— CertiK Alert (@CertiKAlert) December 20, 2022

The concept of ice phishing was first highlighted by Microsoft in a blog post published in February this year.

“Web3 is the decentralised world that is built on top of cryptographic security that lays the foundation of the blockchain. Now, imagine if an attacker can – single-handedly – grab a big chunk [of market funds] and do so with almost complete anonymity. This changes the dynamics of the game,” the software giant had said at the time.

Earlier last week, 14 NFTs of the expensive and famous Bored Apes Yacht Club (BAYC) collection, were stolen in an ice-phishing attack. The scam unfolded after an investor was duped into signing a transaction request, that looked like a contract to feature these NFTs in a film. Once the scammer bagged the permission, the NFTs were purchased by the actor for a next-to-nothing amount, Cointelegraph had revealed in a report.

5/ Victims may notice funds being transferred to a unknown address, but its the EOA that initiated the transaction that has compromised your wallet

Check your approvals for any addresses that may have compromised your wallet
— CertiK Alert (@CertiKAlert) December 20, 2022

“Many ice phishing scams can be found on social media such as Twitter, where fake profiles are disguising themselves as legitimate projects and promoting fake airdrops as an example. The easiest way to prevent yourself from becoming a victim of ice phishing is by going to trusted sites such as Coinmarketcap.com, coingecko.com, and certik.com to verify official sites,” the CertiK report noted.

Is the Realme Pad X the budget ‘iPad' you're looking for? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Cryptocurrency, Web3, Ice Phishing, Crypto Scam, CertiK

Radhika Parashar

Email Radhika

Radhika Parashar is a senior correspondent for Gadgets 360. She has been reporting on tech and telecom for the last three years now and will be focussing on writing about all things crypto. Besides this, she is a major sitcom nerd and often replies in Chandler Bing and Michael Scott references. For tips or queries you could reach out to her at RadhikaP@ndtv.com. More