According to Christian Seifert, principal research manager at Microsoft’s Security and Compliance department, “one aspect that the immutable and public blockchain provides is complete transparency, so an attack can be observed and researched after it occurs. It also allows for the financial impact of attacks to be analyzed, which is difficult in classic web2 phishing attempts.”
Microsoft has issued a warning about growing risks in the Web3 ecosystem, including “ice phishing” operations. The Microsoft 365 Defender Research Team identified a number of new ways that malicious actors could try to dupe cryptocurrency users into handing over their private cryptographic keys and committing unauthorised financial transfers.
To approach and trick bitcoin users into their private key, a variety of methods can be used:
- Keeping an eye on social media for consumers contacting wallet software support and responding with direct messaging spoofing support in order to directly steal one’s private key.
- Giving out new tokens for free to a group of accounts (i.e., “Airdrop” tokens), then failing transactions on those tokens with an error message that redirects to a phishing website6 or a website that instals coin mining plugins that steal your credentials from your local device.
- Plagiarism and spoofing authentic smart contract front ends.
- Pretending to be wallet software and directly stealing private keys.
Researchers reported that ,”The spender can access the cash once the permission transaction has been signed, filed, and mined. In the instance of a ‘ice phishing’ assault, the attacker can gather approvals over time and then swiftly drain all of the victim’s wallets.“
The script was designed to intercept Web3 transactions from wallets with a certain amount and inject a request for the victim’s tokens to be transferred to an address specified by the attackers.
Microsoft advises users to analyse and audit smart contracts for proper crisis response or emergency capabilities, as well as reassess and revoke token allowances on a regular basis, to reduce threats to blockchain technology.
In early December 2021, a high-profile attack of Ethereum-based DeFi platform BadgerDAO was discovered, in which the adversary was able to drain $121 million in money using a maliciously injected snippet and a compromised API key.
Finally the researchers concluded that ,” The attacker used a compromised API key that was created without the knowledge or authority of Badger developers to deploy the worker script. The attacker(s) use this API access to inject malicious code into the Badger application on a regular basis, affecting only a small portion of the user base.”