Cryptocurrency scammers managed to mimic the activity of legitimate dApps to steal funds from users' wallets. The modal window — a key element of crypto wallets' user interfaces — can be easily used to mislead crypto owners.
Hackers exploit mainstream wallet protocol for "modal phishing," CertiK says
Crypto hackers are using sophisticated phishing techniques to drain victims' wallets. Namely, they can gain control over the "modal windows" of noncustodial wallets to lure their owners into approving the wrong transactions. Such attacks are described in a new Modal Phishing in Web3 Mobile Wallets report by leading cybersecurity team CertiK.
🚨 Our security researchers discovered a new phishing technique, Modal Phishing, that exploits a common UI component - modal windows - on #crypto wallets.
— CertiK (@CertiK) April 12, 2023
Attackers can manipulate certain UI elements to create convincing phishing scenarios... 🧵👇 pic.twitter.com/RAYYufuYre
The hackers managed to send phishing messages to mobile wallets being recognized as legitimate decentralized applications (dApps). As a result, a user can lose his/her money by approving a "Security Update" transaction on MetaMask.
Two phishing scenarios are the most common in early 2023: hackers can either manipulate WalletConnect open-source protocol to gain control over dApp information UI elements or obtain control over smart contracts directly.
In the first scenario, attackers can replace the transaction request parameters (amount of tokens, type of tokens, destination address and so on) after approval by the user.
CertiK team reported this vulnerability to the WalletConnect team; developers confirmed the issue and are working on mitigating it through an emergency update.
Never approve suspicious transactions in your MetaMask
The second scenario is even more tricky: the scammers can change the name of methods (commands used by Web3 applications) to make the wallets display the wrong messages.
The user might think that he or she is approving a "Security Update" through a MetaMask wallet once the attackers use this name to label scam transactions approvals.
Unfortunately, CertiK unveiled a phishing contract that managed to steal funds from crypto users for 200 days.
The CertiK team yet again stresses that users should be super cautious and even skeptical about every unknown transaction request — even those labeled as a security upgrade.
Arman Shirinyan
Alex Dovbnya
