Campaigns
PWA Phishing Attacks Targeting Mobile Banking: The Next Generation Cyber Threat

PWA Phishing Attacks Targeting Mobile Banking: The Next Generation Cyber Threat

BankingFraudPhishingAttacksPWAIOSAndroid
This campaign targets a new phishing attack using Progressive Web Apps (PWA), where attackers target users' identity data with fake banking applications. The flexibility of PWA technology makes these attacks more dangerous.

Indicators of Compromise

cyrptomaker.info
blackrockapp.eu
hide-me.online
play-protect.pro
csas.georgecz.online

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1660 Phishing


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.



Network Traffic Flow

Enterprises may be able to detect anomalous traffic   originating from mobile devices, which could indicate compromise.


T1417.002 Input Capture: GUI Input Capture


ID

Data Source

Data Component

Detects

DS0041

Application Vetting

Permissions Requests

Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

DS0042

User Interface

System Settings

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu 

location may vary between Android versions).



T1437.001 Application Layer Protocol: Web Protocols


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Observed Countries3

CZ (428)
GE (71)
HU (776)