• Home
  • About
  • Contact us
Tech News, Magazine & Review WordPress Theme 2017
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
Technovanguard — Be at the forefront of technology news
No Result
View All Result

New Windows Phishing Method gives attackers access to cookies and more

Justin Rowell by Justin Rowell
29.09.2022
Home Software

The rise of two-factor authentication added a new layer of security to the authentication process on the Internet. Attacks designed to steal user credentials are still common, but many fall short because access to user accounts is not granted without the second verification step.

fake microsoft office sig in webview2 keylogger

Users need to enter a code, use a hardware device or an application to complete the authentication request. Different forms of two-factor authentications exist. In the beginning, codes sent via email or SMS were common, but this method has the disadvantage that the information is submitted via plain text.

New authentication methods, including the use of applications and security devices, have risen to prominence to improve security. Passwordless sign-ins, those using secondary devices alone, are becoming more common as they remove the password from the authentication equation. Microsoft customers, for instance, may make their Microsoft Accounts passwordless.

Attackers devised new attacks to overcome two-factor authentications. Security researcher mr.dox developed a new attack that uses Microsoft Edge WebView2 functionality to steal account credentials, bypass two-factor authentication and exfiltrate cookies. While it is necessary that the application is executed on the victim’s system, it is giving attackers lots of flexibility and options, especially in regards to sign-ins to online services.

To better understand the attack, it is necessary to take a closer look at Microsoft Edge WebView2. At its core, WebView2 enables developers to embed web content into their Windows desktop applications. Microsoft Edge is used to render the web content in the native applications. Developers may embed HTML, CSS and JavaScript code in the custom-built application. It is possible to load sites using WebView, similarly to how web browsers communicate with websites.

Designed to enrich native desktop applications, WebView2’s rich functionality makes it an attractive option for malicious developers. An attacker could load any login page, including those found on Amazon, Microsoft, Google, or Facebook, using WebView.

The WebView2 phishing attack

One of the main features of WebView2 is the ability to use JavaScript. A built-in function enables web developers to inject JavaScript into websites. It is this function that mr.dox used to inject malicious JavaScript code into legitimate websites loaded in an application that uses WebView2.

To demonstrate this, mr.dox created a demo WebView2 application that loads the Microsoft Office website and has a JavaScript keylogger embedded in its code.

Since it is a legitimate site that is loaded, it is not blocked by security software or two-factor authentication protections. Users won’t see any differences between the loaded site and the site loaded in a web browser. Phishing sites may look different than the original website; this may happen during development, but also when changes are made to the legitimate site.

The GitHub project page demonstrates how a custom-built WebView2 application is used to steal all user input with the help of an injected keylogger. Since this happens in the background, most users should be unaware that every key they activate is logged and sent to the attacker.

While that may lead to successful account compromisations on its one, it does not provide access to accounts that are protected using two-factor authentication systems.

The attack does not stop at this point, however. WebView2 comes with built-in functionality to extract cookies. The attacker may steal authentication cookies, and it is simply a matter of waiting for the login to complete. Cookies are provided in base64 format, but it is trivial to decode the data to reveal the cookies.

If that was not bad enough, WebView may be used to steal all cookies from the active user. One of WebView2’s capabilities is to launch with “an existing User Data Folder” instead of creating a new one. Using this feature, attackers could steal user data from Chrome or other installed browsers.

Tested in Chrome, the developer was able to steal passwords, session data, bookmarks and other information. All it took was to start WebView2 using the profile location of Chrome to extract all Chrome cookies and transfer them to a remote server on the Internet.

Using the information, the attacker can access web applications, provided that the session is still active and that there are not any other defensive systems in place that may prevent access from new devices. Most of the extracted cookies remain valid until the session expires.

The caveat

The main drawback of this WebView2-based attack is that users need to run the malicious application on the user device. Sign-in to legitimate web services is required to steal the data, but the cookie and session stealing may happen without it.

Other malicious programs may provide attackers with other means to gain access to a user device and its data. The execution of any malicious program leads to disaster from a user’s point of view, and many users are still careless when it comes to the execution of programs and the launching of attachments on their devices.

Why go through the length of using the WebView2 attack, when other attacks may be easier to carry out? Mr.dox suggests that the WebView2 attack may provide attackers with additional options, such as running JavaScript code on target sites directly.

Defensive systems, such as antivirus applications, may prevent the launching of malicious Webview2 applications. The demo app, which is available on the researcher’s GitHub project site, was not blocked by Microsoft Defender. It includes a keylogger that protocols any key input by the user. A SmartScreen warning was displayed, but it was not prevented from being launched.

Protection against WebView2-based attacks

It all boils down to decade-old security practices when it comes to protection against this type of attack. Not launching applications that come from unknown sources or are not trustworthy is probably the main defensive option. Email attachments and web downloads need to be mentioned specifically here, as it is still common that computer users run these without consideration of the consequences.

Other options include scanning the file with up-to-date antivirus engines, or a service such as Virustotal. Virustotal scans files using dozens of antivirus engines and returns its findings in a matter of seconds to the user.

Thank you for being a Ghacks reader. The post New Windows Phishing Method gives attackers access to cookies and more appeared first on gHacks Technology News.


Next Post
Meet the Administrators of the RSOCKS Proxy Botnet

Meet the Administrators of the RSOCKS Proxy Botnet

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

Sediments Suggest Vikings May Have Been the First to Settle the Azores

Sediments Suggest Vikings May Have Been the First to Settle the Azores

29.09.2022
A Dying Star’s Last Act was to Destroy all Its Planets

A Dying Star’s Last Act was to Destroy all Its Planets

29.09.2022

Trending.

Travel Business and Content Marketing: A Match Made in Heaven

Travel Business and Content Marketing: A Match Made in Heaven

07.02.2023
Netflix’s vampire movie Day Shift adds real bite to a classic action throwback

Netflix’s vampire movie Day Shift adds real bite to a classic action throwback

06.01.2023
Staying Ahead of the Game: The Top 10 Most Popular Websites for IT and Modern Technology

Staying Ahead of the Game: The Top 10 Most Popular Websites for IT and Modern Technology

30.01.2023
The Role of Technology in Transforming Healthcare Advertising

The Role of Technology in Transforming Healthcare Advertising

03.01.2023
How did Earth go From Molten Hellscape to Habitable Planet?

How did Earth go From Molten Hellscape to Habitable Planet?

29.09.2022
Technovanguard — Be at the forefront of technology news

Technovanguard - The latest news from the world of IT and modern technologies.

Categories

  • Computing
  • Entertainment
  • Gaming
  • Internet
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
  • Без рубрики

Tags

best bitcoin casino best bitcoin gambling site best crypto casino bitcoin gambling site btc casino FEATUREDNEWS linkedin connection message linkedin connection request template linkedin connect message examples linkedin networking message template linkedin sales message top bitcoin casinos

Recent News

Talents on AI: Kyiv to Host Three-Day Hackathon Connecting Developers and Sponsors in May 2023

Talents on AI: Kyiv to Host Three-Day Hackathon Connecting Developers and Sponsors in May 2023

07.03.2023
Ukrainian NFT Collection Honors Heroes and Raises Funds for Naval Combat Drones

Ukrainian NFT Collection Honors Heroes and Raises Funds for Naval Combat Drones

17.02.2023
  • Home
  • About
  • Contact us

© 2021 technovanguard.com. Submit news release

No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space

© 2021 technovanguard.com. Submit news release