Threat actors have utilised the “app mode” feature in Chrome web browsers to overlay fake login forms, allowing them to steal credentials from victims easier.
All Chromium-based browsers, such as Google Chrome, Brave, and Microsoft Edge, have the “application mode” feature, which generates interfaces of websites to be opened, viewed, and used as applications. However, hackers have made a way to abuse this feature for phishing attacks to steal data from unaware users.
Since the app mode for Chrome-based web browsers allows users to navigate websites in a simplistic interface, hackers were able to use it to hide malicious links and obvious signs of fraud.
Once a website is in app mode, the window in which it will appear will not display the URL address bar, browser toolbars, and other typical browser settings but will rather display a neat and simplistic browsing environment for users who prefer a neat-looking UI on desktop.
Because of these features, phishing operators began creating fake overlays of desktop login forms to sneak their malicious plans against users that are not careful about their browsing security. In this campaign, the operators lure the victims into running a Windows shortcut that launches their phishing link using the app mode feature.
For Windows OS users with pre-installed MS Edge browsers, hackers could easily spread Windows shortcut files to launch the said browser but are implanted with malware that can impact the targeted victim.
A challenge the hackers would face with this attack scheme is the strong prerequisite of requiring initial access to the user’s computer. In achieving this requirement, observations reveal that the hackers can use a portable HTML file to execute their attacks, as they embed the “-app” parameter to redirect users to a phishing site and spread the malware-infected files.
In other instances, hackers have also used the “Browser-in-the-Browser” (BitB) attack technique to insert a fake address bar through some HTML/CSS coding and create software imitations for MS 365, MS Teams, VPN login prompts, and others. macOS and Linux are also prone to these attacks if the hackers have implemented the correct commands for these OS types.