Web3.0 Mobile Wallet New Type of Phishing Attack: Modal Phishing

Recently, we have discovered a new type of phishing technique specifically targeting the authentication process of connecting to decentralized applications (DApps). We have named this new phishing technique "Modal Phishing Attack".

In this type of attack, criminals can send forged information to mobile Wallets, impersonating legitimate DApps. By displaying misleading information in the modal window of the Wallet, they entice users to approve malicious transactions. This phishing technique is currently being widely used. We have communicated with the relevant component developers, who will release a new verification API to reduce risks.

What is Modal Phishing?

In the security research of mobile wallets, we noticed that certain user interface (UI) elements of Web3.0 wallets can be controlled by attackers for phishing attacks. This is called modal phishing because attackers primarily target the modal windows of cryptocurrency wallets.

A modal (or modal window) is a commonly used UI element in mobile applications, typically displayed at the top of the main application window. This design allows users to perform quick actions, such as approving or rejecting Web3.0 wallet transaction requests.

The typical Web3.0 wallet modal design usually provides the necessary information for users to review, such as signature requests, as well as buttons to approve or deny.

However, these user interface elements may be controlled by attackers for modal phishing attacks. Attackers can change transaction details, disguising transaction requests as seemingly legitimate actions such as "security updates" to trick users into approving.

Attack Case Analysis

Case 1: DApp phishing attack via Wallet Connect

Wallet Connect is a widely popular open-source protocol for connecting user wallets with DApps via QR codes or deep links. During the pairing process, the Web3.0 wallet will display a modal window showing the metadata of the incoming pairing request, including the name, website, icon, and description of the DApp.

However, this information is provided by the DApp, and the Wallet does not verify its authenticity. Attackers can impersonate legitimate DApps to trick users into connecting. During the pairing process, as long as the victim intends to operate on the counterfeit site, the attackers can replace the transaction request parameters (such as the target address and amount) to steal funds.

Case 2: Phishing for smart contract information via MetaMask

In the approval modal of MetaMask, there is a UI element that displays the transaction type. MetaMask reads the signature bytes of the smart contract and queries the corresponding method name using the on-chain method registry. However, this also creates another UI element that can be controlled by an attacker.

Attackers can create a phishing smart contract and register method signatures with misleading names like "SecurityUpdate". When MetaMask parses this contract, it will present this name to the user in the approval modal, making the transaction request appear to come from "MetaMask"'s "security update".

Prevention Recommendations

1. Wallet application developers should always assume that externally incoming data is untrustworthy, carefully choose the information displayed to users, and verify its legitimacy.

2. Users should remain vigilant for each unknown transaction request and carefully verify the transaction details.

3. Wallet Connect and other protocols should consider validating the effectiveness and legality of DApp information in advance.

4. Wallet applications should take precautions to filter out misleading terms that could be used for phishing attacks.

In short, certain elements of the Web3.0 wallet user interface may be manipulated by attackers, creating seemingly legitimate phishing traps. Users and developers should remain vigilant and work together to maintain the security of the Web3.0 ecosystem.