New Security Risks of Web3.0 Mobile Wallet: Modal Phishing Attacks

Recently, security researchers discovered a new phishing technique targeting Web3.0 mobile Wallets, named "Modal Phishing Attack." This attack method exploits the modal window design vulnerability of mobile Wallets, misleading users into approving malicious transactions by displaying deceptive information.

The Principle of Modal Phishing Attacks

Modal phishing attacks primarily target modal windows commonly used in cryptocurrency wallet applications. These modal windows are typically used to display transaction request information and obtain user approval. Attackers can manipulate certain user interface elements within these windows to display false or misleading information.

Specifically, the attacker can control the following UI elements:

1. DApp Information: including name, icon, website address, etc.
2. Smart Contract Information: such as function names, etc.

Typical Attack Cases

1. Use the Wallet Connect protocol for DApp phishing

Wallet Connect is a widely used protocol for connecting user wallets to DApps. Researchers have found that during the pairing process, wallet applications directly display the metadata provided by the DApp without verifying it. Attackers can exploit this by spoofing the information of well-known DApps to deceive users.

For example, an attacker can create a spoofed Uniswap DApp and connect to the user's Metamask Wallet via Wallet Connect. During the pairing process, the wallet displays seemingly legitimate Uniswap information, including name, website, and icon. Once the user approves the connection, the attacker can send malicious transaction requests.

2. Phishing for smart contract information through Metamask

Wallets like Metamask will display the function name of the smart contract on the transaction approval interface. Attackers can register smart contract functions with misleading names, such as "SecurityUpdate," and use these functions in transaction requests. When users see what seems to be an official update request, they may mistakenly believe it is a legitimate operation and approve the transaction.

Prevention Suggestions

For Wallet developers:

1. Always treat externally input data as untrusted.
2. Carefully select the information to be displayed to users and verify its legality.
3. Consider implementing additional verification mechanisms, such as verifying DApp information.

For users:

1. Stay vigilant for every unknown transaction request.
2. Carefully check the transaction details and do not make decisions solely based on the information displayed in the UI.
3. If you have any questions, please verify the information through official channels.

In summary, modal phishing attacks reveal potential vulnerabilities in Web3.0 wallet design and information verification in the user interface. As these types of attack methods continue to evolve, wallet developers and users need to enhance security awareness and work together to maintain the safety of the Web3 ecosystem.