Microsoft has warned of emerging threats in the Web3 landscape, including “ice phishing” campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while it’s still in its early stages.
The company’s Microsoft 365 Defender Research Team called out various new avenues through which malicious actors may attempt to trick cryptocurrency users into giving up their private cryptographic keys and carry out unauthorized fund transfers.
“One aspect that the immutable and public blockchain enables is complete transparency, so an attack can be observed and studied after it occurred,” Christian Seifert, principal research manager at Microsoft’s Security and Compliance group, said. “It also allows assessment of the financial impact of attacks, which is challenging in traditional web2 phishing attacks. “
The theft of keys can be done in a variety of ways. These include impersonating software wallets, installing malware on victim’s devices, typing legitimate smart contracts front ends and minting rogue tokens for Airdrop frauds .
Another technique involves what Microsoft calls “ice phishing.” The method does not steal a user’s keys but tricks the victim into signing a transaction which delegated the authorization of the tokens to an attacker. “
” Once the authorization transaction is signed, submitted and mined the spender will be able to access the funds,” Seifert explained. “In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a period of time and then drain all [the] victim’s wallets quickly. “
One such instance of ice phishing came to light in early December 2021 with the high-profile hack of Ethereum-based DeFi platform BadgerDAO, wherein a maliciously injected snippet using a compromised API key enabled the adversary to siphon $121 million in funds.
“The attacker deployed the worker script via a compromised API key that was created without the knowledge or authorization of Badger engineers,” BadgerDAO said. “The attacker(s) used this API access to periodically inject malicious code into the Badger application such that it only affected a subset of the user base. “
The script was programmed such that it would intercept Web3 transactions from wallets over a certain balance and insert a request to transfer the victim’s tokens to an address chosen by the attackers.
To mitigate threats affecting the blockchain technology, Microsoft is recommending users to review and audit the smart contracts for adequate incident response or emergency capabilities and periodically reassess and revoke token allowances.
