PWA Phishing Kits (Exploit Kit) – Malware

Overview

Progressive Web Apps (PWAs) represent a significant advancement in web technology, merging the functionality of traditional web applications with the user experience of native apps. PWAs, built with HTML, CSS, and JavaScript, offer a range of benefits, including offline capabilities, push notifications, and a seamless integration with the operating system. These features enhance user engagement by providing an app-like experience directly from the web browser. However, this seamless user experience also introduces new opportunities for malicious actors to exploit, particularly in the realm of phishing attacks.

The unique characteristics of PWAs—such as the ability to install them with their own icons and display notifications—can be leveraged to deceive users. Phishers can create convincing fake applications that mimic the appearance of legitimate services, tricking users into entering sensitive information. This manipulation of the user interface, coupled with the inherent trust users place in installed applications, makes PWAs a potent tool for phishing schemes. As we delve into the specifics of how PWAs can be weaponized for phishing, we’ll explore a practical attack scenario that demonstrates the potential risks associated with this technology.

Understanding the technical setup of a PWA is crucial for recognizing how these attacks unfold. A typical PWA requires several components, including a manifest file, a service worker, and HTML files. The manifest file defines metadata and icons for the application, while the service worker manages offline capabilities and background tasks. By manipulating these elements, attackers can create deceptive PWAs that appear legitimate to users. The attack scenario we will discuss illustrates how phishers can use these elements to mislead users into installing malicious applications and subsequently redirecting them to phishing sites designed to capture their credentials.

Targets

Individuals

How they operate

Crafting the Malicious PWA

Creating a phishing PWA begins with the foundational components of a legitimate Progressive Web App: a manifest file, a service worker, and the core HTML/CSS/JS files. The manifest file, which is a JSON configuration, provides metadata about the PWA, such as its name, icon, and start URL. In a phishing scenario, this file can be manipulated to disguise the app as a legitimate application, such as a popular online service or bank. The service worker script, which handles background tasks like caching and network requests, is also instrumental in maintaining the appearance of a genuine app. For phishing purposes, this script may be modified to ensure that the app operates seamlessly while redirecting users to a fraudulent page once the app is installed.

Phishing Execution Flow

The phishing attack begins when a victim interacts with a website controlled by an attacker. The site presents an option to install a PWA, often labeled with a convincing name like “Microsoft Login” or “Secure Login.” When the victim clicks the installation button, a browser prompt appears, requesting permission to install the app. This prompt, typically showing the app name and icon (which can be a reputable brand’s logo), encourages the user to proceed. After installation, the PWA is added to the user’s home screen with its own icon and appears to function as a legitimate application.

Upon launching the newly installed PWA, users are redirected to a phishing page that mimics a real login interface. The attacker leverages the PWA’s ability to manipulate the user interface to create a fake URL bar or overlay, further convincing the victim of the app’s authenticity. The real domain of the phishing page is often obscured, and the fake URL bar provides a false sense of security, making it less likely for users to scrutinize the URL closely. The combination of a familiar application name, a genuine-looking icon, and a deceptive URL bar heightens the effectiveness of the phishing attempt.

Exploiting PWA Capabilities

The PWA’s integration with the operating system enhances the phishing campaign’s credibility and effectiveness. Once installed, PWAs can operate in a standalone window, which eliminates the typical browser chrome and URL bar that users would normally use to verify a site’s legitimacy. This lack of traditional browser elements helps the phishing page blend more seamlessly into the user’s environment, making it harder to detect anomalies. Additionally, PWAs can utilize push notifications and background sync to maintain engagement with the user, even after initial installation, thus extending the window for potential phishing activities.

MITRE Tactics and Techniques

Initial Access

Spearphishing Link (T1566.002): Attackers use malicious links in emails or other communications to lure victims into accessing the PWA. The PWA, once installed, can then be used to direct the user to a phishing page.

Execution

User Execution: Malicious File (T1204.002): The PWA is presented as a legitimate application to the user, prompting them to install it. The installation process involves a deceptive setup that ultimately leads to a phishing page.
Command and Scripting Interpreter: JavaScript (T1059.007): Malicious JavaScript may be used within the PWA to execute phishing scripts or manipulate the user interface to resemble legitimate login pages.

Collection

Data from Local System (T1005): If the PWA is designed to collect data from the user’s system, it might use background scripts to gather information.

Exfiltration

Exfiltration Over Alternative Protocol (T1048): Data collected through the phishing page might be exfiltrated using non-standard protocols or methods, including those built into the PWA’s functionality.

References

• Progressive Web Apps (PWAs) Phishing