Ice phishing is a type of scam that only exists in Web3 and poses a “significant threat” to the crypto community, according to the firm.
CertiK, a blockchain security company, has warned the crypto community to be on the lookout for “ice phishing” scams, a type of phishing scam that targets Web3 users and was first identified by Microsoft earlier this year.
CertiK described ice phishing scams in a Dec. 20 analysis report as an attack that tricks Web3 users into signing permissions, allowing a scammer to spend their tokens.
This is distinct from traditional phishing attacks, which attempt to gain access to confidential information such as private keys or passwords, such as the fake websites set up to assist FTX investors in recovering funds lost on the exchange.
An elaborate ice phishing scam was used on December 17, when 14 Bored Apes were stolen. An investor was persuaded to sign a transaction request disguised as a film contract, allowing the scammer to sell all of the user’s apes to themselves for a pittance.
This type of scam, according to the firm, is a “significant threat” found only in the Web3 world, because investors are frequently required to sign permissions to decentralised finance (DeFi) protocols with which they interact, which can be easily faked.
“The hacker only needs to persuade the user that the malicious address to which they are granting permission is legitimate. Once a user has granted the scammer permission to spend tokens, the assets are at risk of being drained.”
Once a scammer has obtained approval, they can transfer assets to any address they want.
CertiK advised investors to use a token approval tool to revoke permissions for addresses they don’t recognise on blockchain explorer sites like Etherscan to protect themselves from ice phishing.