Among the many types of fraud, phishing attacks are one of the most common methods used by fraudsters.

However, in the field of Web3.0, there are not only phishing attacks, but also a kind of "Ice Phishing" attack that will pose a major threat to the community.

Earlier in 2022, Microsoft first explained the specific form of this type of attack in a blog-the scammer does not need to deceive the user's private key and mnemonic, but directly induces the user to approve the operation of transferring assets to the scammer's wallet.

So far, Ice Phishing has caused millions of dollars in property damage in the Web3.0 field.

What is Ice Phishing?

Ice Phishing is a type of attack unique to the Web3.0 world, where users are tricked into signing permissions, allowing fraudsters to directly consume assets within the user's account.

This differs from traditional phishing attacks, which are a type of social engineering attack and are often used to steal user data, including login credentials and wallet or asset information such as private keys or passwords.

Compared with this, Ice Phishing poses a greater threat to Web3.0 users-interaction with DeFi protocols requires users to grant permissions, and fraudsters only need to convince users that the malicious addresses they approve are legitimate. Once a user approves a fraudster to spend their assets, there is a risk that the account will be stolen.

On-chain Ice Phishing

The first stage of an Ice Phishing attack is often: the victim is tricked into approving an EOA or a malicious contract to spend the assets in the victim's wallet.

image description

Source: Etherescan

image description

Source: Etherescan

image description

Source: CertiK

image description

Source: Etherescan

If you see an address you don't recognize, or one that initiates a transaction without your approval, revoke permissions immediately (either by visiting a site like revoke.cash or connecting your wallet to a scanning system).

How to revoke permissions by scanning websites such as Etherscan?

2. Connect wallet

2. Connect wallet

3. Click on the ERC-20, ERC-721 or ERC-1155 tab to find the address you want to withdraw.

4. Click the Cancel button

How to identify Ice Phishing?

A user's first telltale sign that they are falling into the Ice Phishing trap is to look at the URL or DApp they are using.

Malicious websites copy pages from legitimate projects, or pretend to be partners with legitimate organizations.

For example, we often see some fraudulent websites linking with CertiK or uploading fake CertiK audit reports.

image description

Source: CertiK Investigative Team

image description

Source: MetaMask

image description

Users can submit reports of malicious contracts on certik.com

Some on-chain checks can be performed by users through their own DYOR (Do Your Own Research), such as scanning the address presented on the DApp or URL by scanning a website (such as Etherscan) to see if there is any suspicious activity.

image description

Source: Etherescan

Source: Twitter

Source: Twitter

Investigating some of the victim’s wallets and posting complaints on social media, we discovered a fake Maximus DAO twitter page, which is likely related to the Ice Phishing wallet.

How to protect yourself?

The easiest way to prevent yourself from falling victim to Ice Phishing is to visit trusted websites to verify the authenticity of the information, such as Coinmarketcap.com, coinecko.com, and certik.com.

Many Ice Phishing scams can be found on social media such as Twitter, where fraudulent projects masquerade as legitimate projects and promote fake events like airdrops.

image description

Source: @CertiKAlert

write at the end

write at the end

Phishing sites are one of the most common types of scams we see in the Web 3.0 world, and users sometimes don't even realize they've fallen for a trap because they don't give out any sensitive information.

So in addition to doing some on-chain checks on your own, you also need to spend more time double-checking that the URL of the interaction is verified by a trusted source-the time spent will pay off for you one day.