A security researcher has discovered a new phishing technique that could let perpetrators disguise malicious login forms as desktop apps by abusing a web browser feature.
The exploitable feature, called Application Mode, can be accessed in Google Chrome, Microsoft Edge, Brave, and other Chromium-based web browsers. Browsers that support the appendage of the --app command line flag can launch websites in app mode, turning them into seemingly genuine desktop applications.
App-mode websites are launched in separate browser windows, resemble desktop apps, lack an address bar, and in some cases even use the website’s favicon instead of the browser’s icon. Launching an app through Microsoft Edge displays the browser icon, whereas attempting the same procedure in Chrome renders the website’s favicon in the Windows Taskbar.
Mr.d0x, who has also discovered Browser-in-the-Browser (BITB) and Microsoft WebView2 phishing techniques, demonstrated the potential of the new attack type. The researcher suggested inserting a fake address bar within the rogue web app to avoid detection by eagle-eyed users.
Furthermore, in its Proof-of-Concept (PoC), they swapped their website’s favicon with Microsoft’s logo to increase the apparent legitimacy of the app.
“Imagine a scenario where the user has some software that runs on the machine, think VPN software for example,” reads mr.d0x’s blog post. “With this method you can create a website that impersonates that software’s appearance.”
The technique is mainly designed for internal phishing, but it could be effective in external phishing scenarios by delivering the fake application as files. The researcher explains that perpetrators only need to configure the phishing page to display a fake address bar at the top and set the --app parameter to point to a phishing site.
“You can impersonate Windows login prompts, VPN software, backup software and pretty much anything if you have basic HTML/CSS skills,” according to the blog.
Specialized software solutions like Bitdefender Ultimate Security can help you prevent phishing attacks and other types of cyberthreats with features like:
- Continuous, all-around protection against viruses, worms, Trojans, spyware, ransomware, rootkits, zero-day exploits, and other e-threats
- Anti-phishing module that detects and blocks websites that mimic legitimate ones to steal data from unsuspecting victims
- Anti-fraud system that warns you if you land on websites that may try to scam you
- Web-filtering technology that prevents web attacks by detecting and blocking known infected links