Progressive Web Apps (PWA), a type of application delivered through a web browser, can be hijacked to be used for phishing, creating authentic-looking, compelling data collection platforms, experts warn.
Researcher mr.d0x, a notable figure in the cybersecurity community best known for creating and sharing tools and techniques useful for penetration testing, red teaming, and security research, has described developing a new phishing toolkit that allows people to use PWAs that can display company login forms and even come with a fake address bar, which shows the authentic URL, and thus looks more trustworthy.
“PWAs integrate better with the operating system (i.e. they have their own app icon, can push notifications) and can therefore lead to higher website engagement,” explains mr.d0x. “The problem with PWAs is that manipulating the user interface for phishing purposes is possible,” he added.
Phishing templates released
PWAs are not much different from regular applications. They still need to be downloaded and installed, appear in the list of installed programs and apps, and show a shortcut where the user has indicated it. The only difference is that once the user runs the app, it opens in the browser. That said, the process of getting people to install a malicious PWA won’t be much different from the process of getting them to install malware.
However, it could be more convincing than regular programs, and as such could perform better when it comes to data collection and credential theft.
Mr.d0x has released PWA phishing templates on GitHub so other researchers can play with the tools as well.
“Users who do not frequently use PWAs may be more susceptible to this technique, as they may not be aware that PWAs should not have a URL bar. Although Chrome appears to have taken steps against this by periodically replacing the real domain in the show title bar “I think people’s habit of ‘checking the URL’ will make this measure less useful,” the researcher told BleepingComputer.
Finally, he warned that most security awareness programs do not yet include PWA phishing.
Through BleepingComputer