The blockchain, decentralised technologies, DeFi, smart contracts, the concept of a “metaverse,” and Web3 — a decentralised foundation built on top of cryptographic systems that underpins blockchain projects — all have the potential to transform how we think about and experience connectivity today. However, with every technological advancement, cybercriminals may gain new access points, and Web3 is no exception. Mass spam and phishing via email and social media platforms, social engineering, and vulnerability exploitation are among the most prominent dangers today.
Phishing, in particular, has made its way to the blockchain, custodial wallets, and smart contracts, according to the Microsoft 365 Defender Research Team, “reaffirming the durability of these threats as well as the need for security fundamentals to be built into related future systems and frameworks.”
Phishing attacks targeting Web3 and the blockchain, according to Microsoft’s cybersecurity researchers, can take a variety of shapes. An attacker attempting to gain the private cryptographic keys to access a wallet containing digital assets is one of the hazards to be aware of. While phishing scams via email do occur, social media frauds are rampant. Scammers may, for example, post direct messages to users publicly asking for help from a bitcoin service, and then ask for the key while posing as a member of the support team.
Another strategy is to offer false free token airdrops on social networking sites, and when users try to access their new assets, they are sent to malicious domains that aim to steal passwords or run cryptojacking malware payloads on the victim’s laptop. Cybercriminals have also been found to use typo-squatting to imitate reputable blockchain and cryptocurrency services. They register website domains with minor typos or alterations, such as cryptocurency.com instead of cryptocurrency.com, and put up fake websites to steal sensitive information. For example, such transactions can be utilised in DeFi setups and smart contracts to allow for token swaps. “The spender can access the funds once the approval transaction has been signed, filed, and mined,” Microsoft explained. “In the instance of an ‘ice phishing’ attack, the attacker can gather approvals over time and then suddenly empty all victims’ wallets.”
Last year’s BadgerDAO hack was the most high-profile incident of ice phishing. Attackers were able to gain access to a Cloudflare API key by compromising the BadgerDAO front-end, and malicious scripts were then injected — and withdrawn — from the Badger smart contract.
