Microsoft Warns of Ice Phishing

According to a recently published article by the Microsoft 365 Defender Research Team threat actors are quickly making great strides in targeting new emergent web technologies to conduct attack campaigns. Threat actors have now moved to target blockchain and Web3 applications with credential phishing campaigns. Web3 is the term used to define the emerging decentralized web built on the cryptographic foundations that enable blockchain technology to operate.

Credential phishing is nothing new and has plagued the more centralized web, now referred to as Web 2.0. As Microsoft researchers noted,

“Credential phishing haunts our customers day in and day out in the web2 world, which is the version of the internet that most of us are familiar with and use today. It’s a profitable business for cybercriminals, even if margins are slim and there’s significant risk associated with monetizing credentials to a business (for example, through human-operated ransomware attacks).”

Regarding the latest attempts to steal credentials on Web3 applications, the fear is that an actor almost single-handed can steal a large chunk of the 2.2 trillion USD cryptocurrency market capitalization and do so with almost complete anonymity.

microsoft warns about ice phishing attacks

This is not some fear for the future, a quick perusal of Rekt, a site dedicated to releasing information on Web3 hacks that have caused significant financial losses, shows that Web3 applications are getting “rekt” multiple times a month.

Given the popularity of cryptocurrency, and the boom in value many coins could show, the idea of a Blockchain and how to exploit it became a popular pastime for cybercriminals, numerous scams to celebrities having their Twitter accounts hijacked and used to promote scams.

Further, crypto exchange hacks have resulted in hundreds of millions worth of dollars disappearing in an instant. Blockchain, DeFi,  and crypto have long been targeted for threat actors, however, the specific targeting of Web3 applications for credential theft shows a maturing in capabilities not reliant on older scam techniques.

Badger DAO Attack

The event that prompted Microsoft researchers to pay more attention to the lack of security within the Web3 domain was the Badger DAO attack that occurred in November - December 2021. Rekt journalists summarized the attack as follows,

“An unknown party inserted additional approvals to send users' tokens to their own address. Starting from 00:00:23 UTC on 2.12.2021, the attacker used this stolen trust to fill their own wallet.
As the news of users’ addresses being drained reached Badger, the team announced they had paused the project’s smart contracts, and the malicious transactions began to fail around 2 hours 20 mins after they had begun.
BadgerDAO’s aim is to bring Bitcoin to DeFi. The project is made up of various vaults for users to earn yield on wrapped BTC variants on Ethereum.
The vast majority of stolen assets were vault deposit tokens which were then cashed out, with the underlying BTC bridged back to the Bitcoin network, and any ERC20 tokens remaining on Ethereum.”

The Badger DAO attack was a result of a technique called ice phishing which will be discussed below. In the attack, the threat actor managed to compromise the Badger smart contract front-end infrastructure, in particular, its Cloudflare portion. This allowed the attacker to inject malicious script into the Badger smart contract front end.

This script requested users to sign transactions granting ERC-20 approvals to the attacker’s account with the wallet address 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107. Note that based on blockchain explorer Etherscan, the attacker’s account has been active since 2018 and associated with a variety of phishing-related attacks and cryptocurrency scams.

ERC-20 approvals involve first the approval of tokens before a price is set for selling any amount of token the seller wants. This approval process must be completed to place a token order on the books. Microsoft researchers noted,

“The script was first injected into app.Badger.com on November 10, 2021, but the injection was inconsistent, only targeting wallets with certain balance and modifying the script periodically. Injection stopped on December 2, 2021, at 12:31:37 AM (UTC)...On November 21, 2021, the first funds were transferred by the attacker (possibly a test transaction). On December 2, 2021, at 12:48:25 AM, actual funds were drained from victims’ accounts. This draining of funds continued until 10:35:37 AM that day. Badger paused contracts (where possible) starting at 03:14:00 AM, causing some of the attacker’s transactions to fail. In the end, the attacker was able to drain 121 million US dollars from almost 200 accounts within 10 hours.”

Returning to how the attack was carried out using the ice phishing technique. The technique unlike other web3 phishing techniques is not reliant on stealing private keys to wallets.

Rather, a user is tricked into signing a transaction that delegates approval, like an ERC-20 approval for example, of the user’s tokens to the attacker. To successfully carry out an ice phishing attack, the threat actor needs to modify the spender address to the attacker’s address.

Given that many platforms will not display any modifications to addresses on the platform’s user interface, there is little to inform the victim that something is wrong until their funds have been stolen.

Further, once the approval transaction has been signed, submitted, and mined, the spender can access the funds. In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a short period and then drain all victim’s wallets quickly, as was the case in the Badger DAO attack.

Microsoft researchers concluded that even though the BAdger DAO attack occurred in late 2021 there have been several ice phishing attacks since then. Attacks on Web3 and Blockchain infrastructure will rise with the emergence of the technologies and broader adoption on the horizon.

Researchers advise that there needs to be a continued examining this emerging tech, sharing findings with the broader community, and helping improve security through both secure code and informed security products.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal