๐๐ป ๐ฎ ๐๐ฟ๐ผ๐๐ฏ๐น๐ถ๐ป๐ด ๐ฑ๐ฒ๐๐ฒ๐น๐ผ๐ฝ๐บ๐ฒ๐ป๐, ๐ฐ๐๐ฏ๐ฒ๐ฟ๐ฐ๐ฟ๐ถ๐บ๐ถ๐ป๐ฎ๐น๐ ๐ต๐ฎ๐๐ฒ ๐ฏ๐ฒ๐ด๐๐ป ๐๐๐ถ๐ป๐ด ๐ฝ๐ฟ๐ผ๐ด๐ฟ๐ฒ๐๐๐ถ๐๐ฒ ๐๐ฒ๐ฏ ๐ฎ๐ฝ๐ฝ๐น๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป๐ (๐ฃ๐ช๐๐) ๐๐ผ ๐ถ๐บ๐ฝ๐ฒ๐ฟ๐๐ผ๐ป๐ฎ๐๐ฒ ๐ฏ๐ฎ๐ป๐ธ๐ถ๐ป๐ด ๐ฎ๐ฝ๐ฝ๐ ๐ฎ๐ป๐ฑ ๐๐๐ฒ๐ฎ๐น ๐ฐ๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น๐ ๐ณ๐ฟ๐ผ๐บ ๐๐ป๐๐๐๐ฝ๐ฒ๐ฐ๐๐ถ๐ป๐ด ๐๐ป๐ฑ๐ฟ๐ผ๐ถ๐ฑ ๐ฎ๐ป๐ฑ ๐ถ๐ข๐ฆ ๐๐๐ฒ๐ฟ๐. These PWAs, which users can install directly from their browsers, mimic the look and feel of legitimate apps while secretly harvesting sensitive data. The challenge here is that PWAs can bypass typical app installation safeguards, making it easier for threat actors to trick users into granting risky permissions without triggering the usual security warnings.
This technique, first spotted in Poland in July 2023, has since spread to other countries, including the Czech Republic, Hungary, and Georgia. For users, the main pain point is the growing difficulty in distinguishing between genuine apps and cleverly disguised phishing tools. The implications are severeโunauthorized access to financial accounts can lead to significant financial losses and long-lasting damage to trust in digital banking.
To protect against this evolving threat, users should be cautious about installing apps directly from web browsers, even if they appear legitimate. Stick to downloading apps only from official app stores, where security checks are more stringent. Financial institutions must also educate their customers about the risks of PWAs and invest in developing stronger detection mechanisms to flag suspicious activity. Additionally, enabling multi-factor authentication (MFA) on banking accounts can provide an extra layer of security, making it harder for attackers to gain access even if credentials are compromised. By staying vigilant and adopting these best practices, both users and institutions can reduce the risk of falling victim to these sophisticated phishing campaigns.