Cybercriminals exploit Progressive Web Apps (PWAs) in the latest phishing scam, targeting mobile users in Czechia, Hungary, and Georgia. Learn how to protect yourself from these stealthy threats and safeguard your sensitive data.
Cybersecurity firm ESET has discovered a new wave of phishing campaigns exploiting Progressive Web Applications (PWAs), active since November 2023. Reportedly, threat actors have come up with a novel phishing technique that leverages PWAs to deceive unsuspecting victims.
For your information, PWAs are web applications designed to offer a near-native app experience on mobile devices. Users can install them on their home screens and launch them just like regular apps. ESET reports that threat actors are capitalizing on the cross-platform nature of PWAs to target both iOS and Android users with a single phishing application.
The campaign typically starts with a phishing link delivered via SMS, social media malvertising, or automated voice calls, urging users to click for security updates or exclusive offers. Clicking the link leads to a website designed to mimic the official app store or the targeted bank’s website and users are prompted to “install” a new version of the app.
Once installed, the malicious PWA masquerades as a legitimate banking app, prompting users to enter their login credentials. This sensitive information is then exfiltrated to the attacker’s servers, putting users’ financial accounts at risk.
Unlike traditional app downloads, installing a PWA doesn’t trigger any security warnings because PWAs are essentially websites masquerading as apps. This silent installation is particularly concerning for iOS users accustomed to a more secure app installation process.
The scheme can be even more deceptive on Android devices. Attackers may leverage WebAPKs, a technology that allows Chrome to generate a native-looking app from a PWA. This further strengthens the illusion of a legitimate app, as the installed WebAPK doesn’t bear the telltale browser logo on its icon.
ESET researchers have observed multiple phishing campaigns targeting users in Czechia, Hungary, and Georgia. These campaigns utilized both PWA and WebAPK-based attacks to steal sensitive information.
A significant number of phishing attempts were directed at clients of Czech banks, with attackers using social media ads to distribute malicious links. In Hungary, attackers targeted customers of OTP Bank, and a PWA-based phishing attack targeting a bank was observed in Georgia. ESET research promptly informed affected banks and assisted in the takedown of multiple phishing domains and C&C servers.
Nebezpečný scam na zakazniky @Ceskasporitelna.
— Michal Bláha (@michalblaha) January 9, 2024
Zavolá automat, upozorní na neaktuální aplikaci george A po stisknutí tlačítka jedná a zašle URL s odkazem na aktualizovanou verzi.
Vizuálně simuluje instalaci a poté navrhuje uložení odkazu na falešnou web aplikaci na plochu… pic.twitter.com/KM6jsndsoI
Further analysis revealed two distinct phishing campaigns, each utilizing a different C&C server infrastructure. This indicates the presence of multiple threat actors exploiting this novel phishing method.
“Because two drastically different C&C infrastructures were employed, we have determined that two different groups are responsible for the spread of the phishing apps,” ESET researchers noted in their report.
To protect yourself from cybercriminals, avoid unexpected links, download apps from official stores, verify website authenticity, use strong passwords and two-factor authentication (2FA) for financial accounts, and regularly update devices and software.