There have been a lot of discussions in the digital world about whether or not transferring money with anonymity comes with a lot of risks. Albeit it does. In recent times, a rising phishing scam termed “ice phishing attack” has been making rounds on the internet. The crypto market has been exploding right under our noses, with more and more people registering themselves anonymously on the Blockchain to raise crypto funds and multiply their finances. While it all sounds pretty magical, that is not so much the case in reality.
Microsoft has recently issued a warning for users about a possible variant of phishing attack that targets the Blockchain and Web3 environment, specifically. This brand new and alarming Blockchain scam has been termed “Ice Phishing”.
For our non-crypto readers, here is a brief summary of some basic concepts before we dive into what “Ice Phishing” is:
Data Decentralization and the Blockchain
Data decentralization refers to a data model wherein the authority over data entities is dispersed over a distributed network, instead of being concentrated in the hands of a specific body/bodies. It stays true to the fact: “every man to himself”, by reducing the interdependency among data handling parties.
Blockchain can be defined as a decentralized database that primarily functions as a storage unit for cryptocurrency transactions. Being a secure environment that is digitally distributed and deconcentrated, it maintains the anonymity of participants during transactions and also preserves a record of the same. All information on the Blockchain is stored electronically and in a secure space that cannot be accessed by third parties.
The Blockchain stores distributed ledgers that cannot be altered once added. Each “block” operates as a separate storage unit containing a set of transactional information within a limited space. Once the block gets filled up a new block is created to add the next set of records, which is then linked to the previous block. This forms a chain of databases that gives the Blockchain its signature name.
Web3.0 and the possible risks associated with it
Built on the foundation of Blockchain technology, Web3.0, or Web3 as it is commonly known, is a decentralized web environment that allows users to interact with and scale their investments while offering more privacy to their data. In Web3, data is decentralized and encrypted with the help of a private key that only the user has access to.
Unlike Web2, where data is stored on centralized servers that are supervised by a group of big tech companies, Web3 offers more in terms of security and scalability and is quickly becoming the next big thing in the crypto market.
However, it is important to note that Web3 is still in its nascent phase, and requires quite a lot of development. Much like Web1.0 and Web2.0, it isn’t immune to data breaches or security challenges. The lack of centralization also highlights the absence of data regulation in Web3 that paves the way for malicious activities.
Ice Phishing attacks detected by Microsoft on the Blockchain
You may wonder that if the Blockchain and Web3 are such secure environments, how are phishing attacks still wreaking havoc in the crypto world? The answer is- through social engineering.
Attackers are just as smart as they are evil. As noticed by Microsoft security analysts, the perpetrators are getting a malicious smart contract signed by unsuspecting users that would redirect tokens from non-custodial wallets to an attacker-controlled address instead of their own. Due to the lack of transparency on the transactional interface in Web3, it is quite difficult to detect or track the displacement of tokens.
Sounds familiar? Phishing emails sent by attackers to defraud companies make use of similar tactics.
As suggested by security researchers at Microsoft, to prevent “Ice Phishing” one can take a few cautionary steps which include thoroughly checking whether the smart contract you’re signing is audited and unchangeable, and also verifying its security features on it.
I am not a Blockchain user, should I still be concerned?
Yes! While “Ice phishing” is a unique variant of phishing that feeds on Blockchain and Web3 vulnerabilities, various other forms of phishing may affect individuals at every level. These are a few:
Ever came across an email that sounds too good to be true? Like a 90% discount on your favorite deals, or winning a lottery? While some are easy to detect as the sender address looks suspicious, what if you receive the same email from a trusted source whose services you rely on, on a daily basis? You will click on the email.
In an email phishing attack, the attacker spoofs the sender address to look like it is coming from a legitimate source to steal user credentials or inject ransomware. It can cause enterprise-level data breaches, identity thefts, and more.
Decision-makers in an organization, like the CEO, are most likely to be impersonated. This is because they have access to sensitive information like no other. CEO fraud refers to phishing emails that impersonate the CEO to fool employees into transferring funds or disclosing confidential data.
Whaling and Spear Phishing
Highly-targeted forms of phishing attacks, whaling and spear phishing target specific individuals within an organization to defraud the company. Similar to CEO fraud, they are very hard to detect or bypass as they use advanced social engineering tactics.
How to protect your organization against Phishing?
DMARC can help! Using email authentication solutions like DMARC will enable you to deploy a robust anti-phishing posture at your organization. A DMARC policy not only helps evade phishing but also provides a high degree of security against direct-domain spoofing and ransomware attacks perpetrated via fake emails.
PowerDMARC is your one-stop DMARC software solution, on a mission to take the guesswork out of email security. Our solutions are easy to implement, come at competitive market prices, are completely safe, and highly effective! We have helped 1000+ global brands fight against phishing, and migrate to a safer email experience within months of deployment. Join us today by taking a free DMARC trial!.