Progressive web applications (PWAs), a type of application delivered through a web browser, can be hijacked to be used for phishing purposes, creating convincing and authentic-looking data collection platforms, experts warned.
Researcher mr.d0x, a notable figure in the cybersecurity community, particularly known for creating and sharing tools and techniques that are useful for penetration testing, red teaming, and security research, described the creation of a new phishing toolset which allows people to create PWA that can display corporate login forms and even come with a fake address bar, which displays the authentic URL and therefore appears more trustworthy.
“PWAs integrate better with the operating system (i.e. have their own app icon, can send notifications) and can therefore drive higher engagement on websites,” mr.d0x explained. “The problem with PWAs is that it is possible to manipulate the user interface for phishing purposes,” he added.
Phishing templates launched
PWAs are not much different from regular applications. They still need to be downloaded and installed, they will be displayed in the list of installed programs and applications and will display a shortcut designated by the user. The only difference is that once the user runs the app, it will open in the browser. That said, the process of getting people to install a malicious PWA won't be much different from the process of getting them to install malware.
However, it could be more convincing than regular programs and as such could perform better when it comes to data collection and credential theft.
Mr.d0x released PWA phishing templates on GitHub, so other researchers can play with the tools as well.
“Users who don't often use PWAs may be more susceptible to this technique, as they may not be aware that PWAs should not have a URL bar. Although Chrome appears to have taken action against this by periodically displaying the actual domain in the bar “I think people's 'check the URL' habits will make that measure less useful,” the researcher said. beepcomputer.
Finally, he cautioned that most security awareness programs still do not include PWA phishing.
Through beepcomputer