Skip to content
Search
Close search
Menu
Home News Beware of Phishing Attacks Using Progressive Web Apps to Steal Logins 

A new phishing technique has emerged that cyber criminals are using to steal login credentials from unsuspecting victims. This method involves creating malicious progressive web apps (PWAs) that display fake login forms mimicking well-known brands or services. These PWAs can be installed on a user’s device, making them appear as legitimate applications. 

What are Progressive Web Apps (PWAs)?

PWAs are web-based applications built using HTML, CSS, and JavaScript. They function like native mobile apps but can be accessed through a web browser and installed on a user’s device. Popular websites like Twitter, Instagram, and Facebook use PWAs to provide a seamless app-like experience to their users. 

How the PWA Phishing Attack Works

Cyber criminals are now creating PWAs with convincing corporate login forms to phish for user credentials. These fake PWAs may prompt visitors to “install the app” on their devices. Once installed, the PWA launches and displays a fake login screen, often with a spoofed URL in the address bar to appear more legitimate. 

To lure victims into installing the malicious PWA, attackers may: 

  1. Create websites promoting fake software or remote management tools with a button to “install” the app. 
  2. Distribute links or advertisements tricking users into installing the PWA. 
  3. Send phishing emails with malicious links to the fake PWA installer. 

If a user enters their login credentials into the fake form, the information is sent directly to the attacker. 

PWA showing a fake Microsoft login form – Source: mr.d0x 

Protecting Yourself from PWA Phishing Attacks

To avoid falling victim to these attacks, exercise caution when prompted to install any application or PWA, especially from unfamiliar sources.

Here are some tips to stay safe: 

  1. Be wary of unsolicited prompts or links asking you to install apps or PWAs, even if they appear to be from a legitimate source. 
  2. Verify the legitimacy of any software or app before installing it, especially if it requires login credentials. 
  3. Check the URL in the address bar carefully. Legitimate websites will not have a fake URL displayed. 
  4. Keep your operating system, web browsers, and security software up-to-date to benefit from the latest security patches. 
  5. Enable two-factor or multi-factor authentication whenever possible to add an extra layer of security for your accounts. 
Screenshot of a sample of 9 phishing pages targeting financial institutions discovered by Allure Security 

If you suspect you may have fallen victim to a PWA phishing attack, immediately change the passwords for any accounts potentially compromised and enable additional security measures like two-factor authentication. It’s also advisable to monitor your accounts for any suspicious activity and report the incident to the relevant authorities. 

While PWA phishing attacks may be more sophisticated, exercising caution and following best practices for online security can help protect you from falling victim to these scams. 

Additional information available at: 

19.06.24
Threat Intelligence Alerts
Mike Smith
Written by
Mike Smith
Incident Response & Threat Intelligence Manager

Related articles