New Delhi: As the adoption of Blockchain and Web3 technologies rise, Microsoft has warned of new cyber threats including ‘ice phishing’ campaigns that can put the so-called secure decentralised, De-Fi world of finance at the mercy of hackers.
Microsoft 365 Defender Research Team has spotted attacks which look similar to traditional credential phishing attacks observed on web2 but some are unique to web3.
“Imagine if an attacker can — single-handedly — grab a big chunk of the nearly 2.2 trillion US dollar cryptocurrency market capitalisation and do so with almost complete anonymity. This changes the dynamics of the game and is exactly what’s happening in the web3 world multiple times a month,” the team said in a statement late on Wednesday.
Web3 is the decentralised world that is built on top of cryptographic security that lays the foundation of the blockchain (in contrast, web2 is the more centralised world).
In web3, funds you hold in your non-custodial wallet are secured by the private key that is only known to you.
“Smart contracts you interact with are immutable, often open-source, and audited. How do phishing attacks happen with such a secure foundation?” said Microsoft.
The ‘ice phishing’ technique doesn’t involve stealing one’s private keys. Rather, it entails tricking a user into signing a transaction that delegates approval of the user’s tokens to the attacker.
“This is a common type of transaction that enables interactions with DeFi smart contracts, as those are used to interact with the user’s tokens,” Microsoft informed.
In an ‘ice phishing’ attack, the attacker merely needs to modify the spender address to the attacker’s address.
This can be quite effective as the user interface doesn’t show all pertinent information that can indicate that the transaction has been tampered with.
Once the approval transaction has been signed, submitted, and mined, the spender can access the funds. In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a period of time and then drain all the victim’s wallets quickly.
This is exactly what happened with the Badger DAO attack that enabled the attacker to drain approximately $121 million in November-December 2021.
“The Badger DAO attack highlights the need to build security into web3 while it is in its early stages of evolution and adoption,” said Microsoft.
“At a high level, we recommend that software developers increase security usability of web3. In the meantime, end users need to explicitly verify information through additional resources, such as reviewing the project’s documentation and external reputation/informational websites,” the tech giant added.
The ‘ice phishing’ attack in late 2021 is just one example of the threats affecting the Blockchain technology.
“Since then, many more hacks have occurred that impacted blockchain projects and users,” said Microsoft.