Scam Bucket: Ice Phishing

It may not even be illegal, yet

The most interesting scam we’ve found is brand new. It’s called “ice phishing” and it involves taking advantage of the disconnect between language and code.

Phishing involves combining social media, emails, texting, and phone calls with data mining and tricking victims into giving up personal information or money, sometimes both. It is considered wire fraud and carries heavy criminal penalties if the scammer is caught. Ice phishing, on the other hand, involves using decentralized finance (DeFi) technology to steal cryptocurrency. And it may not be illegal.

Decentralizing financial transactions eliminates middlemen, like lawyers, banks and brokers, so humans don’t get involved. A “smart contract” is the mechanism for paying for something with cryptocurrency. The contract contains not just the legal language for the transaction but a significant amount of code that establishes how much money can be transferred and to whom. The problem comes when the code doesn’t match the language.

Contract code conflicts

Contracts are generally written with legal counsel. Even the boilerplate kinds of contracts from the internet had a lawyer helping develop it. So bypassing a lawyer is not hard. But few lawyers know how to code, much less be able to tell when there are discrepancies between the written contract and the underlying code.

Cryptocurrency resides in a digital “wallet,” which is just a blockchain ledger, secured by a private key. With a custodial wallet, only the organization managing the wallet has the key. That means when the organization is breached the currency is at risk. With non-custodial wallets, only the user has the private key, so there is less chance of someone hacking into your wallet. However, the person using a non-custodial wallet is exactly the kind of person an ice phisher is looking for.

According to a recent statement from Microsoft, “Ice phishing doesn’t involve stealing one’s private keys. Rather, it entails tricking a user into signing a transaction that delegates approval of the user’s tokens (a denomination of cryptocurrency) to the attacker. This common type of transaction enables interactions with DeFi smart contracts, as those are used to interact with the user’s tokens.”

Changing the address

The attacker merely modifies the spender address in the code to the attacker’s address. because it is in the code, it isn’t readable in the legal contract and because almost no one reads contracts it’s easy to get past the spender. Once the victim signs, the attacker can drain the victim’s wallets quickly. In November 2021, the FBI warned that cybercriminals used Bitcoin ATMs and QR codes to get victims to complete payment transactions.

As mentioned, custodial wallets are not any safer. The $120m attack on BadgerDAO, resulted from a malicious injected script prompting users of the BadgerDAO web app to delegate the attacker to conduct transactions for them.

But here’s the rub: If the victim has approved the smart contract, even if the text and the code don’t match, there is a question regarding whether this is a crime. It is a contract and saying you didn’t know what was in it is not defensible. Moreover, unless your policy specifically calls this scam out, it is uninsured, according to Gerry Kennedy, CEO of Observatory Holdings, Inc., a research company for the insurance industry. Kennedy pointed out the best way to defend yourself is, “Find a lawyer who knows how to code,” he said.

Zero Trust is the best defense

Ice phishing is like regular phishing in that the scammers use social engineering to find their marks. They scan social media for people asking for help with wallet software. Then they respond with spoofed support messages to get the victim to give up private keys. They also offer free tokens that fail with an error message and redirects to a phishing site or malware installer. And there’s impersonating legitimate smart contract front ends or wallet software to nab private keys directly.

Technologically there isn’t much available for this kind of fraud. Microsoft has created Forta, an open-sourced smart contract threat-detection platform. The software looks for suspicious token approvals – the precursor of ice phishing – and suspicious transfers.

In the end, the best defence is like all phishing defences: scepticism or Zero Trust attitudes. Those go a long way. It’s relatively easy to find out if a scammer is behind the offer. Just doing a search for their name or company can dissuade involvement. Misspellings, identification errors, and weird URLs are dead giveaways. As usual, anything that’s free is suspect.