A phishing campaign is exploiting a fake Google Account security page to deploy a malicious web-based app capable of stealing login credentials.
Fake Google Security Site Uses PWA App to Steal Credentials, MFA Codes
A phishing campaign is using a fake Google Account security page to deliver a web-based app capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims’ browsers.
The attack leverages Progressive Web App (PWA) features and social engineering to deceive users into believing they are interacting with a legitimate Google Security web page and inadvertently installing the malware.
PWAs run in the browser and can be installed from a website, just like a standalone regular application, which is displayed in its own window without any visible browser controls.
Victim browser becomes attacker’s proxy
The campaign relies on social engineering to obtain the necessary permissions from the user under the guise of a security check and increased protection for devices.
The cybercriminals use the domain google-prism[.]com, which poses as a legitimate security-related service from Google, showing a four-step setup process that includes giving risky permissions and installing a malicious PWA app. In some instances, the site will also promote a companion Android app to “protect” contacts.
