HomeNewsBeware of Phishing Attacks Using Progressive Web Apps to Steal Logins
A new phishing technique has emerged that cyber criminals are using to steal login credentials from unsuspecting victims. This method involves creating malicious progressive web apps (PWAs) that display fake login forms mimicking well-known brands or services. These PWAs can be installed on a user’s device, making them appear as legitimate applications.
What are Progressive Web Apps (PWAs)?
PWAs are web-based applications built using HTML, CSS, and JavaScript. They function like native mobile apps but can be accessed through a web browser and installed on a user’s device. Popular websites like Twitter, Instagram, and Facebook use PWAs to provide a seamless app-like experience to their users.
How the PWA Phishing Attack Works
Cyber criminals are now creating PWAs with convincing corporate login forms to phish for user credentials. These fake PWAs may prompt visitors to “install the app” on their devices. Once installed, the PWA launches and displays a fake login screen, often with a spoofed URL in the address bar to appear more legitimate.
To lure victims into installing the malicious PWA, attackers may:
Create websites promoting fake software or remote management tools with a button to “install” the app.
Distribute links or advertisements tricking users into installing the PWA.
Send phishing emails with malicious links to the fake PWA installer.
If a user enters their login credentials into the fake form, the information is sent directly to the attacker.
PWA showing a fake Microsoft login form – Source: mr.d0x
Protecting Yourself from PWA Phishing Attacks
To avoid falling victim to these attacks, exercise caution when prompted to install any application or PWA, especially from unfamiliar sources.
Here are some tips to stay safe:
Be wary of unsolicited prompts or links asking you to install apps or PWAs, even if they appear to be from a legitimate source.
Verify the legitimacy of any software or app before installing it, especially if it requires login credentials.
Check the URL in the address bar carefully. Legitimate websites will not have a fake URL displayed.
Keep your operating system, web browsers, and security software up-to-date to benefit from the latest security patches.
Enable two-factor or multi-factor authentication whenever possible to add an extra layer of security for your accounts.
Screenshot of a sample of 9 phishing pages targeting financial institutions discovered by Allure Security
If you suspect you may have fallen victim to a PWA phishing attack, immediately change the passwords for any accounts potentially compromised and enable additional security measures like two-factor authentication. It’s also advisable to monitor your accounts for any suspicious activity and report the incident to the relevant authorities.
While PWA phishing attacks may be more sophisticated, exercising caution and following best practices for online security can help protect you from falling victim to these scams.
A serious security flaw has been uncovered in a popular Facebook module for the e-commerce platform PrestaShop, potentially exposing thousands of online shops and their…
Cyber criminals are increasingly exploiting trusted high street brands like Asda to lure unsuspecting victims into phishing scams. Action Fraud, the UK’s national fraud and…
Google has released an urgent security update for the Chrome web browser to address several high-severity vulnerabilities that could allow attackers to take control of…