mr. d0x Goes Phishing

In recent months, two new phishing approaches have been making waves and raising concerns. Both were publicized by mr. d0x, a penetration tester and security researcher who frequently publishes his findings to raise awareness about emerging threats. The first is a way to use Chromium’s application mode to build fake desktop apps for phishing. The other is technique for creating fake login forms on websites (or more accurately, forms that appear to be legitimate login forms on websites).

The App That Isn’t

The first phishing technique leverages the – app command line flag, which is supported by Chromium-based browsers, to launch a site in a separate browser window in a manner that appears to be an app. For instance, it does not display an address bar and instead of Chrome or Edge favicons appearing in the task bar, the favicon of the website is displayed.

In order to have the “correct” favicon – i.e., the one for the spoofed app – appear in the task bar, the website address (which is hidden) must be associated with that favicon. This can be accomplished by copying the favicon of the site being spoofed and using it for the phishing website.

Of course, hackers are expert at duplicating websites and forms that can fool all but the most discerning users. Javascript commands can be used to control window behavior to make it appear more realistic by, for instance, ensuring that the fake app is the proper size and shape, opening it in a reasonable position on the screen, and having it close once the user enters their credentials.

The spoofed phishing app can be delivered via an email with a shortcut link to the URL, including the “—app” parameter. Unfortunately, it is not hard to imagine a user receiving an email or text notification that they need to login to their Teams, Microsoft or Google account, clicking on the link, and logging in on an expertly spoofed app, as described above.

Browser-in-the-Browser (BiTB) Phishing Attack

The second phishing technique reported by mr. d0x was actually publicized a number of months ago but has been making headlines again due to its use in a recent phishing attack that steals Steam Gaming accounts. This phishing campaign targets high-value professional gamer accounts, with the goal of selling account access.

The basic technique, as described by mr. d0x, creates a simulated browser window within an existing browser window that appears to be a sign-in window pop-up. What makes the technique especially effective – that is to say, nefarious – is that a genuine URL can be shown in the pop-up address bar, since it is not actually a window.

The spoofed pop-up – including the misleading URL — is coded using HTML/CSS, with an iframe that points to the malicious server that hosts the phishing page. JavaScript can be used to open the pop-up when a sign-in button is clicked or when the page opens. It can also be used to ensure that the href attribute that usually displays actual URL of the window upon hover is ignored.

The recent attacks that leveraged this technique were delivered using a direct message on Steam. Selected high-value users were invited to join tournament teams, with a link to sign up on the site of a fake organization that claimed to host esports competitions. Visitors were asked to sign up to play, and when they clicked, a form that requested Steam credentials opened in a (seeming) pop-up.

The “overlay” of course, was in fact a fake window within the spoofed organization’s page that they were already on. The sign-in pop-up was designed to be highlight realistic. For instance, it displayed a genuine-looking Steam URL in the address bar and include a graphic of the SSL lock icon.

When a user entered credentials, they were prompted to enter the 2FA code by an additional form. Because the phishing site simultaneously passed login info to the actual Steam site, incorrect authentication information triggered an additional expertly spoofed form in real time to prompt the user to re-enter the 2FA code. And once they correctly authenticated, users were sent to a legitimate gaming site, to keep them from realizing that they have been had.

The More Phishing Changes, the More the Challenge Stays the Same

New phishing techniques are constantly being created to trick even very alert users, and old techniques are being updated. But the sad truth – for users, that is – is that phishing works, even when the techniques are nowhere near as sophisticated as those described above. Users are simply inundated with emails, text messages, IMs and pop-ups, and more often than not, if the graphics look right and the “required” action resembles any of the many usual sign-ins or clicks required of users every day, some people will fall for the phish.

To protect users from phishing, passive protection is the only reliable option. Ericom’s ZTEdge Web Isolation leverages remote browser isolation (RBI) to prevent users from falling for fake sign-in appeals on phishing sites, regardless of how convincing they may be. ZTEdge Web Isolation opens web sites with poor reputational ratings in read-only mode to prevent users from entering credentials of clicking on links – regardless of how convincingly the sites spoof normal sign-in procedures.

While the threat posed by phishing is troublesome for private users like gamers, it is exponentially more dangerous when those users use their personal, unmanaged devices to connect into enterprise networks. Once cybercriminals have access to a user device, they can monitor keystrokes to gather credentials for enterprise systems and web apps, as well as SaaS and cloud apps, to breach data, deliver ransomware and cause general havoc.

ZTEdge Web Application Isolation (WAI) protects organizations’ web-facing apps by inverting RBI to cloak application surfaces from threat actors’ view. It prevents them from probing for vulnerabilities that they can exploit. Because remote users can access web and cloud apps only via an isolated environment in the Ericom Global Cloud, enterprise apps are protected even if user credentials are stolen. WAI is a cloud-based solution that does not require any software to be installed on user devices.

Discover how Ericom ZTEdge Web Isolation and WAI can defend against even the most sophisticated phishing techniques. Contact us for a demo today.

---

Share this on:

---

About Mendy Newman

Mendy is the Group CTO of Ericom's International Business operations. Based in Israel, Mendy works with Ericom's customers in the region to ensure they are successful in deploying and using its Zero Trust security solutions, including the ZTEdge cloud security platform.