Skip to main content

Blockchain ice phishers are on the loose, says Microsoft

Hacker
Hacker (Image credit: Reuters)

What you need to know

  • Microsoft has a report on web3 phishing attacks.
  • Specifically, the company takes a look at "ice phishing," which is a term that describes when cybercriminals trick people into handing over their digital funds amid seemingly legitimate blockchain transactions.
  • While new blockchain-based phishing attacks present a fresh danger to average users, they also come with the benefit of being more easily monitored than web2 phishing strikes and, by extension, are easier to learn from.

As widespread and beloved as cryptocurrency has become in some corners of the web (and the world at large), learning how to mine crypto isn't without risks. For example, what if your stockpile of virtual currency scores the attention of a cybercriminal hoping to pull off a blockchain-based phishing attack?

For those not in the loop, the web2 phishing attacks of old have been revamped to fit the realm of web3. For a quick refresher on what web3 means, here's Microsoft's definition: "Web3 is the decentralized world that is built on top of cryptographic security that lays the foundation of the blockchain (in contrast, web2 is the more centralized world). In web3, funds you hold in your non-custodial wallet are secured by the private key that is only known to you. Smart contracts you interact with are immutable, often open-source, and audited."

Ice Phishing Blockchain Microsoft

Source: Microsoft (Image credit: Source: Microsoft)

So how does ice phishing on the blockchain work, then? It's all about fooling someone into approving fund transfers via seemingly legitimate transactions that have been subtly meddled with (in ways transaction user interfaces don't always display), allowing criminals to redirect funds to themselves. The icing on the cake of this swindle is that a criminal can gradually build up a stockpile of these approvals only to rapidly empty victims' wallets in one fell swoop, leaving the violated parties high and dry out of the blue.

You can read up on the weeds of ice phishing operations over at Microsoft's blog post (opens in new tab) discussing the topic. Though if you want a highlight of the strategies the company advises to avoid being ice phished, they include: Don't trust the front-end of smart contracts, get your contract audited, and use multiple crypto wallets.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.