Cyber: Fake Google Security Site Uses Pwa App To Steal Credentials, Mfa Codes
A phishing campaign is using a fake Google Account security page to deliver a web-based app capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims’ browsers.
The attack leverages Progressive Web App (PWA) features and social engineering to deceive users into believing they are interacting with a legitimate Google Security web page and inadvertently installing the malware.
PWAs run in the browser and can be installed from a website, just like a standalone regular application, which is displayed in its own window without any visible browser controls.
The campaign relies on social engineering to obtain the necessary permissions from the user under the guise of a security check and increased protection for devices.
The cybercriminals use the domain google-prism[.]com, which poses as a legitimate security-related service from Google, showing a four-step setup process that includes giving risky permissions and installing a malicious PWA app. In some instances, the site will also promote a companion Android app to "protect" contacts.
According to researchers at cybersecurity company Malwarebytes, the PWA app can exfiltrate contacts, real-time GPS data, and clipboard contents.
Additional functionality observed includes acting as a network proxy and internal port scanner, which allows the attacker to route requests through the victim’s browser and identify live hosts on the network.
The website also requests permissions to access text and images copied to the clipboard, which can occur only when the app is open.
However, the fake website also asks for permission to show notifications, which allows the attacker to push alerts, new tasks, or trigger data exfiltration.
Additionally, the malware uses the WebOTP API on supported browsers in an attempt to intercept SMS verification codes, and checks the /api/heartbeat every 30 seconds for new commands.
Source: BleepingComputer
