Skip to main content

New phishing method looks just like the real thing, but it steals your passwords

Thanks to a new phishing method, hackers could steal all sorts of personal information by simply mimicking real login forms in Application Mode. This is a feature that’s available in all Chromium-based browsers, which includes Google Chrome, Microsoft Edge, and Brave.

Using Application Mode allows threat actors to spread highly believable-looking local login forms that look like desktop applications. In reality, all inputs are sent to a malicious attacker.

Two Microsoft sign in prompts -- one fake, one real, side by side.

In Google Chrome, Application Mode lets web devs create apps that resemble native applications. A few things happen when you launch Application Mode. For starters, the toolbars and the address bar both disappear. The website is launched in a separate window, and on your taskbar, you’ll see the website’s favicon (the icon you normally see next to the website’s name in your browser tab) instead of the Chrome logo.

With all of these things out of the equation, it’s fairly easy to create a clone of a familiar login form and try to trick users into typing their login credentials. Many users are less wary of desktop apps than websites, because once installed, they are assumed to be safe; on the other hand, there’s always some degree of hesitation when visiting a strange website. Removing the URL largely deals with the easiest way to spot a scam from the real thing.

This hack could potentially be very dangerous simply because of how easy it might be to get fooled by it. On the other hand, actually pulling it off requires the victim to have Chromium app mode enabled and launched locally on their device. This means that the hacker would first have to gain some sort of control over the computer before following up with this phishing method, be it through malware or through guiding the user to enable it and run a Windows shortcut with the phishing URL.

Windows 10 and 11 both come with Microsoft Edge pre-installed. This makes it easier to distribute Windows shortcut files that launch Microsoft Edge, and from there, it’s smooth sailing for the hacker if the victim falls for the fake form.

Google Chrome opened on a laptop.

This phishing method was first described by mr.d0x and later reported on by Bleeping Computer. While it could be dangerous if users were to fall for it, the prerequisite of first obtaining some sort of access to the victim’s computer should largely keep you safe.

As always, remember not to visit websites that you don’t fully trust, load up some trustworthy antivirus software for good measure, and do not enable Application Mode in your browser unless you have a very good reason to do so.

Monica J. White
Monica is a UK-based freelance writer and self-proclaimed geek. A firm believer in the "PC building is just like expensive…
Is Microsoft’s new PC cleaner just an Edge ad in disguise?
The new PC Manager app on a Windows 11 desktop

Microsoft really wants you to use the Edge browser, so much so that the company has tied it to PC optimization in a new settings app. Microsoft PC Manager does what you could always do by opening the settings menu, but the new app also prompts you to set Edge as your default browser.

Screenshots of the new app were posted on Twitter by @ALumia_Italia and appears to show what is a public beta of the app. The app performs basic maintenance functions. You can check startup apps, check for updates, run disk cleanup, and other minor optimizations.

Read more
New COVID-19 phishing emails may steal your business secrets
Woman Checking Her Email

Google Forms are being used as a way to obtain the sensitive information of business owners through COVID-19 phishing emails, according to a new report.

As reported by Bleeping Computer, phishing messages based on COVID-19 have started to become increasingly popular in recent weeks.

Read more
Asus ROG Ally X vs. Steam Deck OLED: Has the champion been dethroned?
The Asus ROG Ally X console.

It's not much of an overstatement to say that when Valve released the original Steam Deck, it started a real handheld PC revolution. Launching the Steam Deck OLED only emphasized that while there may be other, more powerful consoles on the market now, Valve's offering still stands strong against the competition. But can it hold its ground against the Asus ROG Ally X?

The two handhelds have more in common than it might seem at first glance. While both are refreshes, neither is a full-blown version 2.0. How do they stack up against each other, though? We've reviewed both ourselves, so we now know the answer to that question. Read our comparison to find out which device wins in a battle between the Asus ROG Ally X and the Steam Deck OLED.

Read more