Using a web browser feature, a security researcher has uncovered a new phishing method that might enable attackers to pass off malicious login forms as desktop applications. Google Chrome, Microsoft Edge, Brave, and other Chromium-based web browsers have access to the exploitable functionality known as Application Mode. Threat actors may now show local login forms that seem like desktop apps using Chrome’s Application Mode functionality, making it simpler to steal passwords.
Earlier this year, researcher Mr.d0x, who also created Browser-in-the-Browser assaults, showed how Chrome’s app mode might be used in phishing attacks. It may provide authentic-appearing login displays that are challenging to distinguish from a genuine login request. Since desktop programs are often harder to fake than browser windows, users are less likely to treat them with the same level of care as they do for browser windows that are more regularly used for phishing.
Web designers may create web apps with a native desktop appearance for ChromeOS or for consumers who prefer a simple, uncluttered experience when viewing YouTube, thanks to Chrome’s application mode. The app mode lets websites open in a separate window without a URL address bar, browser toolbars, etc. The Windows Taskbar displays the website’s favicon rather than Chrome’s icon. If the user doesn’t consciously open these apps, threat actors may be able to build false desktop login forms, which might result in cunning phishing attempts.
Application Mode is intended to provide native-like experiences by launching the website in a separate browser window, showing its favicon, and concealing its address bar. The app argument is configured to refer to the phishing site hosting the page, which creates a phishing page with an address bar at the top. Security researcher mr.d0x claims that a bad actor may take advantage of this behavior to show a false address bar on top of the window and deceive users into entering their credentials on malicious login forms using HTML/CSS trickery.
In addition, the phishing site controlled by the attacker can perform other tasks using JavaScript, such as dismissing the window as soon as the victim inputs their credentials or resizing and positioning it to provide the desired result. It’s important to note that the method also functions on Linux and macOS, making it a potential cross-platform threat. The fact that the attacker already has access to the target’s computer, however, makes the attack successful.
Google Safe Browsing offers a defense against malicious files and untrustworthy websites. Users need to be aware that executing any file that an attacker provides might be risky. Enhanced protection, which examines the security of your downloads to notify you better when a file may be complicated, is something consumers may wish to activate even though Safe Browsing is enabled by default in Chrome.
Always avoid visiting websites you don’t entirely trust, get a reliable antivirus program for added protection, and only enable Application Mode in your browser when necessary.
