Chromium is a popular open-source web browser by Google. Because it is so popular, Chromium has caught the attention of cyber criminals, who are using a new phishing technique to exploit the 'app mode' in the browser. According to a Business Wire report, around 62% of IT enterprises suffered browser-based attacks over the past 12 months. Since web browsers have become an integral business tool, cybercriminals find them an excellent gateway to deploy phishing campaigns.
A phishing technique is a social engineering cyberattack to steal sensitive data, credit card details, and login credentials. In this attack, the attacker masquerades as a trusted entity and induces the target into opening phishing emails or clicking links from the messaging app. These links redirect the victim to a fake web page that looks legitimate. The attacker steals the credentials on the other side as the victim inputs details like username or password. Typically phishing is done via text message, email or phone, but cybercriminals are finding newer ways to steal valuable data.
In the Chromium browser, the application mode (app mode) provides native-like experiences that enable the website to launch in a separate browser window. In this app mode, we observe that the website's favicon and the address bar remain hidden. According to Mr. D0x, who devised the browser-in-the-browser (BiTB) attack, cybercriminals can leverage HTML and CSS to trick the victim by displaying a fake address bar. It is a new phishing technique with which cybercriminals can steal victims' credentials. Mr. D0x added, “Although this technique is more towards internal phishing, you can technically still use it in an external phishing scenario. You can deliver these fake applications independently as files."
The app mode is available in browsers like Brave, Google Chrome, and Microsoft Edge. It generates realistic screens for login, making it hard for victims to differentiate them from legitimate ones. Since apps running on desktops are hard to spoof, users exercise lesser caution while using them. Thus, cybercriminals widely abuse them for phishing techniques. Cybercriminals find this technique a perfect choice because it does not display browser toolbars or URL addresses. Hence, it makes for an excellent sneaky phishing page.
To execute an attack using the app mode technique, the attacker must convince the user to run a Windows shortcut. It will run the phishing URL using the Chromium app mode. Since Microsoft started disabling macros in their products, attackers have discovered new phishing attacks using email Windows shortcuts (.LNK) in ISO files for distributing malware.
But this malware-based phishing technique was noisy because anti-malware and other security apps could easily detect attacks. As an alternative, attackers came up with this browser-based attack which is less likely to get noticed by anti-malware programs. Mr. D0x highlighted the attack technique wherein the malicious attacker can create a shortcut to launch browsers with app mode containing a phishing applet for the target system.
# For Google Chrome
"C:\Program Files\Google\Chrome\Application\chrome.exe" --app=https://www.karlos.com
# For Microsoft Edge
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app=https://www.karlos.com
Here, www.karlos.com will be the victim's fake website, where the entire page will get redirected. On top of that, the attacker's phishing site can also leverage JavaScript to render more tricks. It can close the window as soon as the victim provides the credentials or resize the window position. It is worth paying attention that this attack technique works smoothly on other operating systems like Linux and Mac.
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --app=https://www.karlos.com
Here is a list of approaches enterprises and individuals can take to prevent phishing techniques.
Every user should enable multi-factor authentication through biometric or OTP-based login apart from email ID and passwords.
Enterprises should enable adaptive authentication techniques in corporate email addresses. This way, attackers from different browsers or geolocation must bypass an added layer of authentication to prove their legitimacy.
Although "Safe Browsing" remains enabled by default with most browsers, individuals and employees should also foster "enhanced protection." It can inspect the user's safety in case of malicious downloads to warn users against tricky files and web pages.
Enterprises can also implement browser isolation. Enterprises can reduce browsing activities and operational powers from endpoints and networks here.
Enterprises should patch the browsers regularly and look out for URLs (especially in app mode) before entering login credentials.
Enterprises can contact security experts like Packetlabs for guidance on tackling the latest phishing techniques and threats.
Phishing through browsers has become common. Using the app mode on Chromium, attackers can steal sensitive data to inflict data and monetary losses. Enterprises and users should take necessary measures to counter such attacks.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.