Security News > 2024 > June > New phishing toolkit uses PWAs to steal login credentials
A new phishing kit has been released that allows red teamers and cybercriminals to create progressive web Apps that display convincing corporate login forms to steal credentials.
D0x demonstrates how to create PWA apps to display corporate login forms, even with a fake address bar showing the normal corporate login URL to make it look more convincing.
"PWAs integrate with the OS better and therefore they can lead to higher engagement for websites," the researcher explains in a blog post about the new toolkit.
"The issue with PWAs is that manipulating the UI for phishing purposes is possible as we'll explore in this blog."
While the new phishing templates will require some convincing to get a user to install the PWA, there are scenarios where it may be easier to do so.
When the PWA automatically launches it will prompt the user to enter their credentials to log in, whether those are, for example, for a VPN product, Microsoft, AWS, or online store credentials.