The technologies that enable our global communication and interaction are constantly evolving, offering tremendous benefits to users, but at the same time opening up new attack vectors for threat actors.
Social engineering is a threat that targets virtually every technology that connects people. The current analysis of a phishing attack by Microsoft security researchers confirms the threat potential and emphasizes the importance of comprehensive security architectures.
Microsoft warns of a new breed of blockchain-centric attacks targeting web3 (the decentralized environment being created on top of the blockchain). In this context, the Microsoft 365 Defender Research Team analyzed the recent Badger DAO attack, which stole more than $120 million from blockchain users in November and December 2021. The security experts warn that these attacks are on the rise: “There are several types of phishing attacks in the web3 world,” writes Christian Seifert, a member of the Microsoft 365 Defender Research Team. “The technology is still burgeoning and new ones can types of attacks emerge.”
Ice fishing involves cutting a hole in a frozen body of water to catch fish. Ice phishing, as the Defender team calls it, uses social engineering to trick a user into signing a transaction that delegates approval of the user’s tokens to the attacker, without stealing the private keys in the process. The attack corrupts a common type of transaction that enables interactions with DeFi smart contracts, as they are used to interact with user tokens (e.g. swaps). In an “ice phishing” attack, all the attacker needs to do is change the donor’s address to the attacker’s address.
This can be very effective as the UI does not show all relevant information indicating that the transaction has been tampered with. Once the approval transaction is signed, submitted, and mined, the donor can access the funds. In the case of an ‘ice phishing’ attack, the attacker can collect permissions over a period of time and then quickly empty all of the victims’ wallets.
Other phishing methods used by threat actors
1. Spear phishing
The cybercriminal either learned about the group or collected data from social media platforms to trick users. A spear phishing email is usually sent to a person or small group of people using the service. It contains some form of personalization – perhaps the person’s name or a customer’s name.
2. Executive whaling
This type mostly targets executives and administrators to siphon money from accounts or steal confidential information. This type of fraud is characterized by personalization and detailed knowledge of the executive and the company.
3. Social engineering
The use of psychological manipulation to trick people into revealing confidential information or granting access to funds. The art of social engineering can also consist of gathering information from social media platforms. LinkedIn, Facebook and other platforms offer a wealth of information about a company’s employees.
Effective protective measures
Security training can enable users and company employees to better recognize these multiple types of fraud. The most effective measure to prevent such attacks is to offer and implement comprehensive security awareness training for employees. Basically, an attempt is made to test how attentive the employees are with the help of simulated phishing emails. The aim of the training is to achieve increased awareness of the dangers and the recognition of such attacks. The number of successful phishing attacks on the company can be greatly reduced by such training and, in addition to the technical security options, employees can be trained and used as a “human firewall”.