What is Ice Phishing?
Ice phishing is a blockchain based attack which Microsoft raised concerns about earlier this year and involves tricking a user into signing a malicious transaction so that the attacker can gain control over the cryptoassets.
On Chain Transactions
Many crypto holders will connect their browser based wallet, such as Metamask, to decentralised applications and services. This allows them to interact with the application; buying in-game items, entering a metaverse, allowing owned items such as NFTs to be shown in the app etc. To complete these actions, users must sign transactions via their Metamask and it is this part of the process which bad actors are trying to exploit.
When an app needs to complete an on-chain action then the Metamask pop up will open and request that the user confirms or cancels the transaction.
Above is an example of the transaction information which is given to pet an Aavegotchi (a blockchain based Tamagotchi which requires petting every 12 hours to keep its frendly levels up).
This particular transaction doesn’t involve the movement of any assets, fungible or non-fungible, and is an `interact` with an on-chain item — namely the NFT representing my cute little ghost.
However many transactions will initiate the movement of assets and some will allow the movement of assets via a smart contract e.g decentralised finance applications (DeFi dApps). Therefore in some transactions it can be harder to decode what the on chain actions will be that you are approving, especially if they are giving permission for sequential actins rather than one immediate action. It is this lack of clarity which bad actors are looking to exploit when they go ice phishing.
How The Attack Works
Attackers will often pretend to be a customer service representative for a crypto project/service, and reach out to users posting for assistance in project or community Discord servers or Twitter threads. They will then aim to hook the user into signing a transaction which delegates approval for the victim’s cryptoassets to be moved to the attack’s control.
This is especially effective for DeFi services such as Decentralised Exchanges (DEXs) since they can be complex for novice crypto users to navigate and always require a metamask connection to be made.
If we walk through a transaction to swap some DAI for ILV (the currency of the new metaverse world Illuvium) on SushiSwap — a popular DEX, then we can see that in order for SushiSwap to make the trade, I have to provide access to the DAI in my wallet.
I can expand the transaction information to see more information and then it’s made clear that by confirming the transaction I’ll be granting access to the contract: 0xd9e1cE17f2641f24aE83637ab66a2cca9C378B9F to trade a maximum amount of DAI on my behalf. However the information provided is still very limited about the nature of access my confirmation provides to this account and the series of actions which may follow when the contract has this authority.
What an ice phishing attack will do is provide a fraudulent link purporting to be a DEX, such as SushiSwap or a help page for a crypto service, and then when the victim goes to sign the transaction, the attacker will have put their own address within the `Granted to:` part of the transaction. This will give them access to the cryptoassets in your wallet and allow them to be transferred out.
Since Metamask shows the contract hash rather than an identifiable name, it wouldn’t be immediately obvious to spot such a switch unless you were to screen the contract address through a block explorer or blockchain analytics tool to be sure it is for the entity you expect rather than the attacker.
But it’s not just interaction with DEXs which pose an ice phishing threat, entering the metaverse can pose a risk too. This is because in order to access the full range of functionality and interactions, you need to sign into the digital world with your blockchain account. For Decentraland this requires a simple sign in via metamask and for the Gotchiverse this requires signing a welcome message to verify your identity. However any malicious actor could look to dupe the victim into signing a transaction which delegates access to cryptoassets in the account by providing a false link to the metaverse, directing them to sign in using it and then having a delegate action rather than an interact or message signing action.
Attack Use Case
Perhaps the most famous ice phishing attack to date is that of BadgerDAO where bad actors were able to steal over $100 million from unsuspecting users.
They did this by compromising the BadgerDAO web app and injecting some malicious code which duped users into signing a transaction which delegated control of the ERC20 tokens in their wallet. As such when users attempted to interact with BadgerDAO under the impression that they were depositing tokens to earn a yield, instead the transaction they were signing was allowing the attackers to have full access to their funds. Over 10 hours on December 2nd 2021 the attackers drained funds from victim’s accounts and deliberately targeted those with larger balances, modifying their script throughout the day in an attempt to avoid detection. BadgerDAO eventually spotted the burglary and paused the smart contract but not before the exploiters had managed to siphon $121m from 200 accounts.
How to Protect Yourself
- When signing a transaction in Metamask or any other wallet it is important to read the details of the transaction and ensure it’s going to initiate the operations you expect.
- When you are sending funds or approving access to cryptoassets in your account you should check the contract hash in Etherscan or by using a blockchain analytics tool to ensure it’s the entity you expect.
- Always access dApps and services via the verified URL to avoid phishing links and domain squatters. If in doubt, you can often find the project URL on their verified Twitter account.
- Always ensure you are speaking with official representatives of a company and be wary of anyone who reaches out on social media, Discord etc as customer service assistants. When in doubt contact the project using officially recognised email and social media accounts to check.
- Segregate your cryptoassets and keep long term holdings like more valuable NFTs in cold storage and funds for transactions and more active dApps in a different hot wallet.
Originally published at https://www.linkedin.com.