CertiK, a blockchain security company, has warned the crypto community to be on the lookout for "ice phishing" scams, a type of scam that targets Web3 users and is first identified by Microsoft earlier this year.
CertiK described ice phishing scams in a Dec. 20 analysis report as a threat that tricks Web3 users into signing permissions, allowing a scammer to spend their tokens.
This is distinct from traditional attacks, which attempt to gain access to sensitive data such as private keys or passwords, such as the fake sites set up to assist FTX investors in recovering funds lost on the exchange.
An elaborate ice phishing scam was used on December 17, when 14 Bored Apes were stolen. An investor was persuaded to sign a transaction request disguised as a film contract, allowing the scammer to sell all of the user's apes to themselves for a pittance.
According to the firm, this type of scam is a significant threat found only in the Web3 world because investors are frequently required to sign permissions to decentralized finance (DeFi) protocols with which they interact, which can be easily faked.
"The hacker only needs to persuade the user that the malicious address to which they are granting permission is legitimate. Once a user has granted the scammer permission to spend tokens, the assets are at risk of being drained."
Once a scammer has obtained approval, they can transfer assets to any address they want.
Additionally, addresses that users intend to interact with should be checked for suspicious activity on these blockchain explorers. CertiK cites an address funded by Tornado Cash transactions as an example of suspicious activity in its analysis.
CertiK also advised users to only interact with official sites they can verify and to be especially cautious of social media sites such as Twitter, citing a fake Optimism Twitter account as an example.
The company also advised users to check a trusted site such as CoinMarketCap or Coingecko, where they would have discovered that the linked URL was not legitimate and should be avoided.
Microsoft was the first to highlight this practice in a Feb. 16 blog post, stating that while credential phishing is common in Web2, ice phishing allows individual scammers to steal a portion of the crypto while maintaining almost complete anonymity.
They suggested that Web3 projects and wallet companies increase the software security of their services to avoid putting the burden of avoiding ice phishing attacks solely on the end-user.
Are there any other tips you can provide to protect yourself from crypto scams? Drop your comments by sharing this article on social media.