A newly released phishing kit allows red teamers and cybercriminals to create progressive web apps (PWAs) that display convincing corporate login forms to steal credentials.
PWAs are web-based applications built using HTML, CSS, and JavaScript that can be installed from a website like regular desktop applications. Once installed, the operating system creates a PWA shortcut and adds it to Add or Remove Programs in Windows and under the /Users/<account>/Applications/ folder in macOS.
When launched, a PWA runs in the browser it was installed from but appears as a desktop application with all standard browser controls hidden. Many websites, including X, Instagram, Facebook, and TikTok, use PWAs to offer a desktop app experience.
Using PWAs to Phish for Credentials
A new phishing toolkit created by security researcher mr.d0x demonstrates how to create PWA apps that display corporate login forms, complete with a fake address bar showing the normal corporate login URL, making them appear more convincing.
"PWAs integrate better with the OS (i.e., they have their own app icon, can push notifications) and therefore can lead to higher engagement for websites," mr.d0x explains in a blog post about the new toolkit. Although convincing a user to install the PWA may require effort, there are scenarios where it could be easier.
It's common for threat actors to create websites designed to distribute programs that install malware, such as fake NordVPN and ProtonVPN sites and fake Windows PC cleaners. Similarly, threat actors can create sites promoting fake software or remote management tools with an install button.
When a visitor clicks the install button, the browser installs the PWA and adds it to the operating system, with Windows prompting whether to create a shortcut on the Taskbar. When the PWA launches, it prompts the user to enter their credentials to log in, whether for a VPN product, Microsoft, AWS, or online store credentials.
This technique is notable because mr.d0x shows how to integrate a fake address bar containing a fake URL in the PWA, similar to the Browser-in-the-Browser technique. This makes the login form appear more legitimate to the target.