Researchers have found that Google Chrome's Application Mode can be abused for phishing threats.
Used to offer ChromeOS users a clean, minimal interface for certain websites such as YouTube, when launched, Application Mode brings up a new browser window without the address bar, toolbars, or other familiar elements – even the taskbar displays the website favicon instead of the Chrome icon.
But this mode can be abused, cybersecurity researcher mr.d0x discovered. If an attacker manages to convince a user to run a Windows shortcut that runs a phishing URL with Chromium’s Application Mode feature, the user will only see what seems to be the login form for an app. In reality, though, it would be a phishing page that steals (opens in new tab) people’s login data.
Shortcut files
Ever since Microsoft moved to kill malicious Office files, cybercriminals have been pivoting towards Windows shortcut files (.LNK).
Cybersecurity experts have since uncovered countless attack campaigns that successfully leveraged .LNK files to deliver all kinds of viruses and malware, from QBot, to BazarLoader, to anything in between.
Explaining this new potential method, mr.d0x says an attacker could use a shortcut file to launch a phishing “applet” on the victim’s endpoint:
- For Chrome:
“C:Program FilesGoogleChromeApplicationchrome.exe” –app=https://example.com - For Microsoft Edge
“c:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” –app=https://example.com
There are multiple ways to abuse this flaw, mr.d0x added, including having access to the target device, using a portable HTML file with the “-app” parameter embedded, or using the Browser-in-the-Browser technique to add a fake address bar. Finally, the attack can also be pulled off on macOS and Linux devices, he said.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba