Advanced phishing tool kit for PWAs to steal login credentials

A recently developed phishing kit enables both red teamers and cybercriminals to create progressive web apps (PWAs) that can display convincing corporate login forms and steal credentials. PWAs are web-based applications created using HTML, CSS, and JavaScript that can be installed from a website and function like regular desktop applications. Once installed, the operating system will create a PWA shortcut and add it to Add or Remove Programs in Windows and under the /Users/<account>/Applications/ folder in macOS.

When a PWA is launched, it runs in the browser from which it was installed but is displayed as a desktop application with standard browser controls hidden. Many websites, including X, Instagram, Facebook, and TikTok, use PWAs to offer a desktop app experience.

The new phishing toolkit, created by security researcher mr.d0x, demonstrates how to use PWAs to display corporate login forms, even with a fake address bar showing the normal corporate login URL to make the phishing attempt appear more convincing. The researcher has released the PWA phishing templates on GitHub for testing and modification.

"Users that don't use PWAs often may be more suspectible to this technique as they might be unaware that PWAs should not have a URL bar. Even though Chrome appears to have taken measures against this by periodically showing the real domain in the title bar, I think people's habits of "checking the URL" will render that measure less useful.

Additionally, how many security awareness programs today mention PWA phishing? I can only speak from personal experience and I haven't seen companies mention this in their training. The lack of familiarity with PWA and the danger they can potentially pose might make this technique more effective.

I can see this technique being used by attackers to request users to install a software and then in the PWA window the phishing happens. This was demonstrated in the demo video I provided.

Finally, one thing to keep in mind is that Windows actively prompts the user to pin the PWA to the task bar. The next time the window is opened it will automatically open the URL mentioned in the "start_url" parameter in the manifest file. This may cause the user to pin the PWA and use it more than once, providing the attacker with more results."

❖ mr.d0x told BleepingComputer

This technique is noteworthy because it integrates a fake address bar containing a fake URL in the PWA, similar to the Browser-in-the-Browser technique, making the login form seem more legitimate to the target. Threat actors may use this technique to request users to install a software, and then conduct the phishing within the PWA window.

Although this new PWA phishing method will require convincing targets to install the app, it may be utilized by threat actors in the future. Currently, no existing group policies can prevent the installation of progressive web apps, with existing policies only allowing the ban of specific extension IDs or access to specific URLs.

In 2018, researchers from the Korea Advanced Institute of Science & Technology (KAIST) released a paper investigating progressive web apps and their potential security risks.

A demonstration of the PWA phishing kit can be seen below.