Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform.
The internet’s latest iteration is Web3, a form of blockchain-based decentralized network being hailed by tech giants, blockchain enthusiasts and crypto communities as something that will revolutionize computing in the foreseeable future. While it remains to be seen what exactly Web3 will develop into, early applications like cryptocurrencies and NFTs are already growing in popularity, creating a new playground for opportunistic cybercriminals. In 2021 alone, scammers stole a whopping $14 billion worth of crypto, which is near twice the amount stolen in 2020.
It can be argued that because Web3 is based on blockchain technology, it’s inherently secure. But the fact remains that humans will always be vulnerable to manipulation, and that’s why phishing continues to remain one of the top attack vectors. Furthermore, blockchain empowers attackers to stay anonymous, and stolen funds are usually irretrievable.
Let’s explore some of the top crypto and blockchain phishing scams to have surfaced recently.
1. Malicious AirDrops
Airdrops are a kind of marketing or promotional tool organizations employ to incentivize users to use their products, services or platforms. Businesses typically airdrop cryptocurrencies (or money) into a user’s wallet address in exchange for some activity such as a new product launch, a new coin offering or for promoting a brand (signing up for a newsletter, following a social media handle, etc.). Since there is the attraction of free money and FOMO (fear of missing out) involved, airdrops have become popular among early crypto investors.
However, airdrops can also be leveraged to carry out phishing campaigns. For example, users can receive an email, SMS or social media message that some random cryptocurrency has been added to their wallet via an airdrop. The victim is then directed to another exchange where the coin can be sold. The site asks victims to connect their wallets only to find out that all their funds have been withdrawn. Late last year, malicious airdropped NFTs helped attackers steal collectibles worth “hundreds of thousands of dollars” from the OpenSea NFT marketplace.
2. Seed Phrase Phishing
A so-called seed phrase is a master key that unlocks access to all your crypto assets. It’s like giving someone your bank account username and password. Some phishing scams trick users into divulging their seed phrase, which results in their losing funds stored in crypto wallets.
In a recent example, phishers used Google Ads to promote their scam and direct users to phishing websites or browser extensions that appear as legitimate ones. As part of the registration or account recovery process, unsuspecting victims are asked to enter a recovery phase supplied by the bad actor. The criminal then uses the same phrase to immediately drain the victim’s wallet.
Metamask, a popular crypto wallet, warned users of a Twitter bot that was asking users to provide their seed phrases on Google forms as part of the account recovery process.
3. Ice Phishing
Similar to ice fishing in the real world, where a hole is made in a frozen lake to catch fish, ice phishing is a novel Web3 clickjacking scheme that tricks users into assigning or delegating approval of the user’s token to a cybercriminal. According to Microsoft, the smart contract user interface is such that it does not make it obvious to the victim that the transaction has been tampered with. All the attacker needs to do is modify the spender’s address to the attacker’s address and then wait for the victim to authorize the transaction, granting approval to the attacker’s account. (In crypto parlance, the “spender” is allowed to spend on the owner’s behalf.)
In this particular instance, the attacker was able to modify the smart contract UI by injecting a malicious script into the smart contract front end. A similar attack happened on the BadgerDAO exchange late last year when attackers leveraged ice phishing to steal cryptocurrency worth $120 million.
4. Fraudulent Emails, Websites And Social Media Accounts
Phishing emails and fake URLs are probably one of the oldest tricks in the book. Likewise, Web3 is rife with copycat websites, social media accounts and fraudulent emails. From get-rich-quick schemes to pump-and-dump schemes, fake promos, to promising new cryptocurrencies,email scams are costing users millions of dollars each year.
Last year, a leading crypto exchange lost $55 million just because a crypto developer accidentally opened a phishing email with a malicious attachment. Crypto-related fraud on social media is growing exponentially. Scammers frequently pose as authentic sources, celebs, friends or family, encouraging users to visit impersonated websites or making bogus investments. Once an investment gains traction, duplicitous developers execute the famous rug pull, leaving investors with worthless investments. Rug-pull scams cost investors a whopping $2.8 billion in 2021.
It’s quite obvious by now that no matter how watertight Web3 will be from a security standpoint, it won’t save us from phishing scams. Users need to be wary of these scams, and organizations must consistently invest in education and raising security awareness around the latest schemes and tactics employed by attackers. Users should be recognized as part of the security solution and not part of the security problem.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?