Using a Progressive Web Application (PWA), a clever phishing assault seeks to get Czech mobile users’ banking account details.
A creative phishing attack is aiming to obtain the banking account credentials of Czech mobile users by using a Progressive Web Application (PWA). The Slovak cybersecurity firm ESET claims that the attacks have targeted the Hungarian OTP Bank, the Georgian TBC Bank, and the Czech bank Československá obchodní banka (CSOB). “The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home screens, while on Android, the PWA is installed after confirming custom pop-ups in the browser,” said Jakub Osmani, a security researcher. “At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic.”
This approach is noteworthy because it tricks users into installing a PWA—or, on Android, WebAPKs—from a third-party website without requiring them to explicitly consent to side loading. The campaigns are being carried out by two distinct threat actors, according to an examination of the backend architecture and the command-and-control (C2) servers that were utilized. Automated phone calls, text messaging, and social media malvertising on Facebook and Instagram are the methods used to distribute these websites. The phishing URL is provided after the audio calls alert consumers to outdated banking software and prompt them to choose a numerical option.
Upon clicking the link, users are redirected to a website that seems to be a copy of the Google Play Store listing for the banking app in question, or it may be a lookalike listing. This ultimately results in the “installation” of the PWA or WebAPK app under the pretense of an app update. “This crucial installation step bypasses traditional browser warnings of ‘installing unknown apps’: this is the default behavior of Chrome’s WebAPK technology, which is abused by the attackers,” Osmani said. “Furthermore, installing a WebAPK does not produce any of the ‘installation from an untrusted source’ warnings.”
There are instructions for adding the fake PWA app to the home screen for users of Apple iOS devices. The campaign’s ultimate objective is to obtain the banking credentials typed into the app and transfer them to a Telegram group chat or a C2 server under the control of the attacker. ESET said it documented the first phishing-via-PWA case in early November 2023, with further waves discovered in March and May 2024. In July 2023, the technique was seen for the first time.
The revelation coincides with the discovery by cybersecurity experts of a fresh iteration of the Gigabud Android malware, which propagates through phishing websites posing as the Google Play Store or as other banks or governmental organizations. “The malware has various capabilities, such as the collection of data about the infected device, the exfiltration of banking credentials, the collection of screen recordings, etc.,” Symantec, which owns Broadcom, stated. It also comes after a threat actor called DukeEugene was found to be behind 24 separate control panels for several Android banking trojans, including ERMAC, BlackRock, Hook, Loot, and Pegasus (which should not be confused with the same-named spyware from NSO Group).
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
