Introduction about phishing

Phishing is one of the most common and dangerous forms of cyber attacks. Attackers use various techniques to trick users into providing sensitive information such as login credentials, credit card numbers or other personal information. Phishing attacks often come in the form of emails, text messages or fake websites that mimic legitimate services. Attackers create illusions of trustworthiness and create a sense of urgency, leading victims to take imprudent actions.

Modern phishing attacks are becoming increasingly sophisticated, using new technologies and platforms to deceive users. One such technology that is coming to the forefront is Progressive Web Applications (PWAs).

What is a PWA

Progressive Web Apps (PWAs) are web applications that provide a user experience similar to native mobile apps. They allow users to install apps directly from a web browser on their devices, and these apps can work offline, send notifications, and run in the background. PWAs combine the benefits of websites and mobile apps, making them a very attractive tool for developers and users alike.

One of the key features of PWA is the ability to create a bookmark on the device desktop that acts as a standalone application. However, this functionality can be exploited by attackers for phishing purposes. Because PWAs can look and function like regular apps, attackers can create fake apps that mimic legitimate services and trick users into revealing their sensitive information.

Creation and deployment procedure

Basically, all we had to do was modify the great project by mrd0x from https://mrd0x.com/progressive-web-apps-pwa-phishing/. So all respect goes to the author of this project. His project provides the basic structure and code to create a PWA that can be customized for phishing purposes. It includes setting up a PWA manifest that defines how the application behaves after installation, and allows you to create a user interface that looks like a legitimate Windows login page.

Modifications included customizing the appearance and functionality of the PWA. The application was then deployed to a publicly available web server.

The attack itself

Next, simply send a phishing email with a link to our PWA application. This email can contain a message that creates urgency, for example "Your account has been suspended, click here to log back in". Once the victim clicks on the link, they are redirected to a fake login page that installs as a PWA on their device.

Once installed, the PWA acts as a legitimate application, minimizing the user's suspicion. When the user fills out the login information, this information is sent directly to the attacker while the user is presented with a fake page or error message.

Video

Video description

In the video you can watch the whole process in practice. From opening the link, to installing the application, filling in the login credentials, to submitting them and then displaying them on the attacker's side. The video shows how easily victims can be tricked by PWA phishing and how important it is to be cautious when clicking on links and installing apps from unknown sources and even for mobile devices.

Statement

The goal of this article and video is not only to demonstrate the potential misuse of technologies such as Progressive Web Applications (PWAs), but also to emphasize that no technology is 100% secure. It is essential to use common sense and constantly consider the risks associated with using any software or system.

Disclaimer: Unauthorized tampering with someone else's system is illegal and punishable. All hacking activities should only be carried out with the express permission of the system owner and in accordance with applicable laws. This article does not serve as a guide for illegal activities, but as a warning and educational material to improve security and awareness of the threats associated with phishing attacks using PWA technologies.

Stay Kawaii and Hack the Planet!

       /\_/\
      ( o.o )
       > ^ <

Due to lack of time translated via DeeplAI. sooooory :((