A security researcher has discovered a new phishing technique that could let perpetrators disguise malicious login forms as desktop apps by abusing a web browser feature.
The exploitable feature, called Application Mode, can be accessed in Google Chrome, Microsoft Edge, Brave, and other Chromium-based web browsers. Browsers that support the appendage of the --app
command line flag can launch websites in app mode, turning them into seemingly genuine desktop applications.
App-mode websites are launched in separate browser windows, resemble desktop apps, lack an address bar, and in some cases even use the website’s favicon instead of the browser’s icon. Launching an app through Microsoft Edge displays the browser icon, whereas attempting the same procedure in Chrome renders the website’s favicon in the Windows Taskbar.
Mr.d0x, who has also discovered Browser-in-the-Browser (BITB) and Microsoft WebView2 phishing techniques, demonstrated the potential of the new attack type. The researcher suggested inserting a fake address bar within the rogue web app to avoid detection by eagle-eyed users.
Furthermore, in its Proof-of-Concept (PoC), they swapped their website’s favicon with Microsoft’s logo to increase the apparent legitimacy of the app.
“Imagine a scenario where the user has some software that runs on the machine, think VPN software for example,” reads mr.d0x’s blog post. “With this method you can create a website that impersonates that software’s appearance.”
The technique is mainly designed for internal phishing, but it could be effective in external phishing scenarios by delivering the fake application as files. The researcher explains that perpetrators only need to configure the phishing page to display a fake address bar at the top and set the --app
parameter to point to a phishing site.
“You can impersonate Windows login prompts, VPN software, backup software and pretty much anything if you have basic HTML/CSS skills,” according to the blog.
Specialized software solutions like Bitdefender Ultimate Security can help you prevent phishing attacks and other types of cyberthreats with features like:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024