Microsoft has warned of emerging cyber risks such as ‘ice phishing’ campaigns that can leave the so-called safe decentralised, De-Fi world of finance at the whim of hackers as the usage of Blockchain and Web3 technology grows.
The Microsoft 365 Defender Research Team has discovered attacks that resemble typical credential phishing attacks observed on web2, although some are specific to web3.
The team said in a statement late on Wednesday, “Imagine if an attacker can — single-handedly — grab a big chunk of the nearly 2.2 trillion US dollar cryptocurrency market capitalisation and do so with almost complete anonymity. This changes the dynamics of the game and is exactly what’s happening in the web3 world multiple times a month,”
Web3 is a decentralised world built on top of cryptographic security, which is the blockchain’s foundation (in contrast, web2 is the more centralised world).
Web3 protects the funds in your non-custodial wallet with a private key that is only known to you.
Microsoft said “Smart contracts you interact with are immutable, often open-source, and audited. How do phishing attacks happen with such a secure foundation?”
The technique of ‘ice phishing’ does not entail stealing one’s private keys. Rather, it includes duping a user into signing a transaction that gives the attacker approval over the user’s tokens.
Microsoft informed, “This is a common type of transaction that enables interactions with DeFi smart contracts, as those are used to interact with the user’s tokens,”
Working Mechanism
The attacker only needs to change the spender address to the attacker’s address in a ‘ice phishing’ attack.
Since the user interface does not display all important information that can indicate that the transaction has been tampered with, this can be highly effective.
The spender can access the funds after the approval transaction has been signed, submitted, and mined. In the instance of a ‘ice phishing’ attack, the attacker can gather approvals over time and then swiftly drain all of the victim’s wallets.
This is exactly what happened with the Badger DAO attack in November-December 2021, when the attacker was able to syphon around $121 million.
Microsoft said “The Badger DAO attack highlights the need to build security into web3 while it is in its early stages of evolution and adoption,”
It added “At a high level, we recommend that software developers increase security usability of web3. In the meantime, end users need to explicitly verify information through additional resources, such as reviewing the project’s documentation and external reputation/informational websites,”
The late-2021 ‘ice phishing’ attack is just one example of the threats to Blockchain technology.
Microsoft said “Since then, many more hacks have occurred that impacted blockchain projects and users,”