IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft releases analysis of Web3 'ice phishing' attack

New phishing method targets an immature technology stack on the next generation of the internet

A shot from above of a hole drilled into an ice lake

Microsoft’s 365 Defender Research Team has detailed the latest strain of phishing attacks designed to target the nascent technology underpinning Web3 – the so-called decentralised third generation of the internet.

Dubbed ‘ice phishing’, the attack method involves hijacking the normal approval process that handles the secure transaction of tokens, such as cryptocurrency, over a blockchain.

Ice phishing was first observed by Microsoft between November and December 2021 when the Badger DAO platform was hacked and $121 million worth of users’ assets were stolen.

Badger DAO is a platform that allows users to deposit Bitcoin and earn interest on their deposits using a variety of yield farming strategies. It uses a decentralised finance (DeFi) protocol called Badger and currently has $978 million total volume locked, according to Microsoft.

The Ethereum blockchain, on which the Badger DAO attack occured, hosts cryptocurrencies that use the ERC-20 standard to create and issue smart contracts that can be then used to securely transfer assets over the blockchain.

This standard can be seen as a set of functions that, when executed, facilitate a blockchain transaction. One of these functions is to initiate a smart contract that moves assets on behalf of the user.

The owner of the asset is automatically approved to make the transaction but they can also delegate approval to additional entities such as smart contracts. It's this process that ice phishing aims to exploit.

How ice phishing works

Historical methods of stealing assets from secured cryptocurrency wallets have typically relied on social engineering to deceive users into relinquishing their private keys to the attacker, allowing them to access their wallet and drain the funds.

Related Resource

Modernise your server infrastructure for speed and security

Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation

Whitepaper cover with title and block dark green rectangle with grey and white arrow graphicsFree Download

Ice phishing does not involve stealing a user’s private keys. Instead, it involves tricking a user into signing a transaction that delegates approval of the user’s tokens to the attacker.

In the case of the Badger DAO attack, the platform’s front-end infrastructure was compromised which allowed the attacker to inject malicious code into the Badger smart contract front end. This code requested users to sign transactions granting ERC-20 approvals to the attacker’s account.

As is often the case with these types of platforms, the user interface (UI) for Badger DAO does not show enough information to indicate whether a transaction has been tampered with, according to Microsoft.

Attackers both compromise these platforms’ infrastructures and leverage the basic UI to fool users into granting transaction approval to the attacker’s wallet.

A screenshot of a decentralised exchange platform's UI

Microsoft

Using a transaction on the Uniswap platform – a decentralised token exchange allowing users to swap Ethereum-based cryptocurrency tokens for other tokens – as an example, Microsoft showed the typical UI presented to the user, and how the information needed to determine if a transaction has been tampered with is usually hidden.

In the above example, the user isn’t able to determine if the ‘spender’ - the account to be authorised - is the router owned by the platform or an address owned by an attacker.

“Once the approval transaction has been signed, submitted, and mined, the spender can access the funds,” said Microsoft. “In case of an ice phishing attack, the attacker can accumulate approvals over a period of time and then drain all victim’s wallets quickly.

“This is exactly what happened with the Badger DAO attack that enabled the attacker to drain millions of US dollars in November-December 2021.”

Future Web3 risks

Microsoft said the Web3 stack is still in its infancy and as such, bears risks for users. The Badger DAO attack was significant and one of the largest hacks of its kind in terms of the number of assets stolen.

Attacks like these are likely to continue, said Microsoft, though transactions of this kind, on the blockchain, are public which makes investigating the incidents easier.

Identifying such attacks is possible and can even be automated. A public blockchain also allows investigators to see how much has been stolen – something that is typically difficult in traditional, web2-based phishing attacks.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Windows 11 System Restore bug preventing users from accessing apps
Microsoft Windows

Windows 11 System Restore bug preventing users from accessing apps

19 Jan 2023
Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender update
Microsoft Windows

Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender update

16 Jan 2023
Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts
Microsoft Windows

Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts

13 Jan 2023

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023