New Phishing Method to Empty Bank Accounts – How It Works

ESET’s Cybersecurity Research Center has discovered an unusual phishing campaign targeting mobile users and analyzed a phishing incident targeting customers of a well-known Czech bank.

The phishing campaign and method is only possible because of PWAs technology.

This method needs to be careful as it installs the phishing app from a third-party website without the user giving permission to install third-party apps.

On Android, this can lead to the “silent” installation of a special APK file, which is actually presented as having been installed from Google Play. The campaign also targeted iPhone (iOS) users.

Phishing sites targeting iOS software invite victims to add a progressive web app (PWA) to their home screen, while on Android, the PWA is installed after confirming browser pop-ups.

At this point, on both operating systems, phishing apps closely resemble the real banking apps they mimic.

PWAs are essentially web pages that look and feel like standalone applications, with that feel enhanced by the use of system commands.

PWAs are cross-platform, which explains how these campaigns target both iOS and Android users. The new technique was spotted in the Czech Republic by ESET researchers working on the ESET Brand Intelligence Service, which monitors threats against client brands.

How it works

The phishing campaign uncovered by ESET researchers used three different mechanisms to distribute URLs. These mechanisms include automated voice calls, SMS messages, and malicious social media ads.

In one case, the URL is distributed via an automated call alerting the user to a banking app that needs to be updated and prompting them to press a key on their keyboard. After pressing the correct key, the phishing URL is sent via SMS.

The SMS messages were distributed by sending messages randomly to phone numbers in the Czech Republic. The message sent included a phishing URL and text to trick victims.

The malicious campaign was also spread through ads on Meta platforms like Instagram and Facebook. These ads included some limited offers for users to “download the next update.”

After opening the URL delivered in the first stage, Android users are either redirected to a phishing page that mimics the official Google Play Store page of a particular banking app, or a fake webpage for that app. From there, victims are asked to install a “new version” of the banking app.

PWAs Technology

Phishing campaigns and phishing methods can only be executed thanks to Progressive Web Apps (PWA) technology. In short, these are applications built using traditional web app technologies and can run on multiple platforms and devices.

WebAPKs can be considered an enhanced version of Progressive Web Apps (PWAs), where Chrome creates an Android app from a PWA: in other words, an APK. These WebAPKs look like regular apps. Additionally, installing a WebAPK does not trigger any “installation from untrusted source” warnings. The app will be installed even if installation from third-party sources is not allowed.

One team used a Telegram bot to capture all the information in a Telegram group chat via the app’s official API, while another team used a traditional command and control (C&C) server with an admin panel. Most of the known cases occurred in the Czech Republic, while only two phishing apps appeared outside the country (namely in Hungary and Georgia).

All sensitive information identified by ESET’s investigation into this matter was immediately sent to the affected banks for processing. ESET also assisted in the removal of multiple phishing addresses and command and control servers.

For more technical information about the new phishing threat, see our blog post «Be Careful What You Wish For – Phishing in PWAs» On WeLiveSecurity.com.

source: after that