Blockchain ice phishers are on the loose, says Microsoft

As widespread and beloved as cryptocurrency has become in some corners of the web (and the world at large), learning how to mine crypto isn’t without risks. For example, what if your stockpile of virtual currency scores the attention of a cybercriminal hoping to pull off a blockchain-based phishing attack?

For those not in the loop, the web2 phishing attacks of old have been revamped to fit the realm of web3. For a quick refresher on what web3 means, here’s Microsoft’s definition: “Web3 is the decentralized world that is built on top of cryptographic security that lays the foundation of the blockchain (in contrast, web2 is the more centralized world). In web3, funds you hold in your non-custodial wallet are secured by the private key that is only known to you. Smart contracts you interact with are immutable, often open-source, and audited.”

So how does ice phishing on the blockchain work, then? It’s all about fooling someone into approving fund transfers via seemingly legitimate transactions that have been subtly meddled with (in ways transaction user interfaces don’t always display), allowing criminals to redirect funds to themselves. The icing on the cake of this swindle is that a criminal can gradually build up a stockpile of these approvals only to rapidly empty victims’ wallets in one fell swoop, leaving the violated parties high and dry out of the blue.

You can read up on the weeds of ice phishing operations over at Microsoft’s blog post discussing the topic. Though if you want a highlight of the strategies the company advises to avoid being ice phished, they include: Don’t trust the front-end of smart contracts, get your contract audited, and use multiple crypto wallets.