Ice Phishing is a new unique trick of cryptojackers, which is aimed exclusively at users of Web 3.0 products.
Blockchain security experts at CertiK warned users about a new type of scam called Ice Phishing. These attacks differ significantly from all previously known crypto frauds, as they don’t involve acquiring personal data or private keys.
Ice Phishing uses elements of social engineering and hacking. The scammer tricks the victim into signing a transaction that delegates permission to transfer crypto-assets via a smart contract. The attacker can then use the user’s assets as desired.
A prime example of the Ice Phishing attack was stealing 14 NFTs from the Bored Ape Yacht Club (BAYC) collection, whose sale earned the hackers 852 ETH (~$1.07 million). The scammer forced the user to sign “permission” to use their NFTs for filming. As a result, the attacker managed to sell all of the user’s NFTs to themselves for a minimal amount of money.
Due to the specific nature of such attacks, analysts called Ice Phishing a “considerable threat” seen only in the Web 3.0 space. To protect your digital assets from it, you should check all transactions whose signature requests come from unverified sources. Services such as Etherscan can be used for this purpose.
CertiK analysts point out that addresses with suspicious activity are often involved in Ice Phishing. For example, the address which was funded by Tornado Cash withdrawals. Analysts also note that Ice Phishing is most often found on social media. So users looking to avoid stealing funds this way should carefully check all the links they are offered to follow by unfamiliar contacts on Discord, Twitter, or Instagram.
By the way, social networks are recognized in 2022 as the most common tool to be used by crypto scammers. Earlier, CertiK analysts focused their attention on the increasing number of fraudulent YouTube videos.