Phishing scam abusing trust

WWCD: Defending Against Browser App Mode Abuse

Bill Toulas at Bleeping Computer recently highlighted a new phishing technique in the wild that is designed to abuse user’s increased likelihood of trusting applications that appear to be desktop applications over those that appear inside a web browser.  As with many other types of attacks in the wild, these are designed to take advantage of the fact that experiences – and most security training – prime users to expect phishing and other malicious sites to look and behave a certain way.

In the attack Toulas describes, threat actors utilize a little-used feature in Chromium-based browsers to launch web pages in “application mode”. In application mode, the website loads in a clean browser window that hides all the tell-tale signs that the user is on a web site. There are no tabs, no URL bar, no toolbars, nor anything else that normally distinguishes a web application from a desktop one. Since users aren’t primed to suspect phishing pages to load in this type of environment, their guard may be down.

So, What Would Conceal Do (#WWCD)?

We have some good news: Conceal would stop this attack. Since ConcealBrowse protects users by scanning URLs and blocking or isolating them as appropriate, the user’s trust – or lack thereof – is irrelevant.

Let’s take a look at how the attack works, and how ConcealBrowse stops it.

  1. An attacker sends a user a Windows shortcut that launches a web page in Chromium application mode when clicked.
    Chromium application mode
  2. When the user clicks on the icon, the malicious page is loaded in a Window that mimics a desktop application but is actually a Chromium window without any of the usual UI elements.
    Desktop mimic
  3. Despite appearances, the page is still a normal web page and ConcealBrowse scans its URL as well as any other URLs it might call or load.
  4. Because Conceal’s decision engine has flagged the URL as malicious, the page is loaded in a virtual environment in the cloud instead of on the user’s computer.
    URL scan
  5. When the page tries to download a malicious file to the user’s computer, the file is scanned and stopped by ConcealBrowse.

ConcealBrowse protects users and organizations from the types of trust abuse that are commonly responsible for successful malware and phishing attacks like this one, regardless of how creative the technique. Want to learn more? Contact us for a demo today!