‘Ice phishing’ on the blockchain

The technologies that connect us are continually advancing, and while this brings tremendous new capabilities to users, it also opens new attack surfaces for adversaries and abusers. Social engineering represents a class of threats that has extended to virtually every technology that enables human connection. Our recent analysis of a phishing attack connected to the blockchain reaffirms the durability of these threats as well as the need for security fundamentals to be built into related future systems and frameworks.

Credential phishing haunts our customers day in and day out in the web2 world, which is the version of the internet that most of us are familiar with and use today. It’s a profitable business for cybercriminals, even if margins are slim and there’s significant risk associated with monetizing credentials to a business (for example, through human-operated ransomware attacks). Now, imagine if an attacker can – single-handedly – grab a big chunk of the nearly 2.2 trillion US dollar cryptocurrency market capitalization and do so with almost complete anonymity. This changes the dynamics of the game and is exactly what’s happening in the web3 world multiple times a month.

Web3 is the decentralized world that is built on top of cryptographic security that lays the foundation of the blockchain (in contrast, web2 is the more centralized world). In web3, funds you hold in your non-custodial wallet are secured by the private key that is only known to you. Smart contracts you interact with are immutable, often open-source, and audited. How do phishing attacks happen with such a secure foundation?

Read more…
Source: Microsoft