A new phishing method allowed hackers to steal all kinds of personal information by simply mimicking real login forms in application mode. This is a feature available in all Chromium-based browsers, including Google Chrome, Microsoft Edge, and Brave.
By using application mode, threat actors can distribute very credible-looking local login forms that resemble desktop applications. In reality, all input is sent to a malicious attacker.
Google Chrome allows web developers to create apps similar to native applications in application mode. A few things happen when you start application mode. For starters, the toolbars and the address bar both disappear. The website will launch in a separate window and on your taskbar you will see the website favicon (the icon you normally see next to the website name in your browser tab) instead of the Chrome logo.
With all these things out of the equation, it’s pretty easy to clone a known login form and trick users into entering their credentials. Many users are less wary of desktop apps than websites because, once installed, they are considered safe; on the other hand, there is always some hesitation when visiting a strange website. Removing the URL largely has to do with the easiest way to spot a scam from the real thing.
This hack can be potentially very dangerous simply because it is so easy to be fooled by it. On the other hand, to actually run it, the victim must have Chromium app mode enabled and launch it locally on their device. This means that the hacker must first gain some form of control over the computer before performing this phishing method, either through malware or by guiding the user to enable it and run a Windows shortcut with the phishing URL .
Windows 10 and 11 both come with Microsoft Edge preinstalled. This makes it easier to distribute Windows shortcut files that launch Microsoft Edge, and from there it’s a cinch for the hacker if the victim falls for the fake form.
This phishing method was first described by mr.d0x and later reported by Bleeping Computer. While it could be dangerous for users to fall for it, the requirement to gain some form of access to the victim’s computer first should keep you largely safe.
As always, don’t forget to visit websites you don’t fully trust, load reliable antivirus software for good measure, and don’t enable application mode in your browser unless you have a very good reason to do so.