The boom in the global fintech industry, has ushered in an era of scammers, armed with high-end tech tools to dupe you out of your hard-earned money. One such advanced scamming technique, especially targeted at the crypto community, is called ‘ice phishing’. In its latest advisory report to the global Web3 sector, cyber research firm CertiK has sounded an alert against the rising cases of ice phishing scams while also outlining preventative measures to keep finances safeguarded.
Ice phishing scams arethat manoeuvre into manually signing and approving permissions that allow notorious actors to spend their tokens.
These permissions usually have to be signed on decentralised finance (DeFi) protocols, that could easily be mock-ups.
“Thejust needs to make a user believe that the malicious address that they are granting approval to is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained,” wrote in its report.
Once the scammers get this permission, they can transfer the funds from the victim’s accounts into any other.
This is not quite the case in traditional, where hackers manage to steal private keys or passwords by luring in unsuspecting people into clicking on malicious links or having them visit infected fake websites.
As a security-focussed suggestion, CertiK has asked Web3 investors to steer clear against granting permissions to unknown addresses, especially while browsing blockchain explorer sites like Etherscan.
People have been advised to look up for suspicious addresses asking for random permissions on blockchain explorer sites.
2/ The scam begins when a victim is tricked into approving the ice phishing address.
The scammers address will be presented to you when you are interacting with a malicious URL or Dapp
Below is an example of this type of transaction :point_down:
— CertiK Alert (@CertiKAlert)
The concept of ice phishing was first highlighted by Microsoft in apublished in February this year.
“Web3 is the decentralised world that is built on top of cryptographic security that lays the foundation of the. Now, imagine if an attacker can – single-handedly – grab a big chunk [of market funds] and do so with almost complete anonymity. This changes the dynamics of the game,” the software giant had said at the time.
Earlier last week, 14of the expensive and famous , were stolen in an ice-phishing attack. The scam unfolded after an investor was duped into signing a transaction request, that looked like a contract to feature these NFTs in a film. Once the scammer bagged the permission, the NFTs were purchased by the actor for a next-to-nothing amount, had revealed in a report.
5/ Victims may notice funds being transferred to a unknown address, but its the EOA that initiated the transaction that has compromised your wallet
Check your approvals for any addresses that may have compromised your wallet
— CertiK Alert (@CertiKAlert)
“Many ice phishing scams can be found on social media such as, where fake profiles are disguising themselves as legitimate projects and promoting fake airdrops as an example. The easiest way to prevent yourself from becoming a victim of ice phishing is by going to trusted sites such as Coinmarketcap.com, coingecko.com, and certik.com to verify official sites,” the CertiK report noted.