New Windows Phishing Method gives attackers access to cookies and more
The rise of two-factor authentication added a new layer of security to the authentication process on the Internet. Attacks designed to steal user credentials are still common, but many fall short because access to user accounts is not granted without the second verification step.
Users need to enter a code, use a hardware device or an application to complete the authentication request. Different forms of two-factor authentications exist. In the beginning, codes sent via email or SMS were common, but this method has the disadvantage that the information is submitted via plain text.
New authentication methods, including the use of applications and security devices, have risen to prominence to improve security. Passwordless sign-ins, those using secondary devices alone, are becoming more common as they remove the password from the authentication equation. Microsoft customers, for instance, may make their Microsoft Accounts passwordless.
Attackers devised new attacks to overcome two-factor authentications. Security researcher mr.dox developed a new attack that uses Microsoft Edge WebView2 functionality to steal account credentials, bypass two-factor authentication and exfiltrate cookies. While it is necessary that the application is executed on the victim's system, it is giving attackers lots of flexibility and options, especially in regards to sign-ins to online services.
To better understand the attack, it is necessary to take a closer look at Microsoft Edge WebView2. At its core, WebView2 enables developers to embed web content into their Windows desktop applications. Microsoft Edge is used to render the web content in the native applications. Developers may embed HTML, CSS and JavaScript code in the custom-built application. It is possible to load sites using WebView, similarly to how web browsers communicate with websites.
Designed to enrich native desktop applications, WebView2's rich functionality makes it an attractive option for malicious developers. An attacker could load any login page, including those found on Amazon, Microsoft, Google, or Facebook, using WebView.
The WebView2 phishing attack
One of the main features of WebView2 is the ability to use JavaScript. A built-in function enables web developers to inject JavaScript into websites. It is this function that mr.dox used to inject malicious JavaScript code into legitimate websites loaded in an application that uses WebView2.
To demonstrate this, mr.dox created a demo WebView2 application that loads the Microsoft Office website and has a JavaScript keylogger embedded in its code.
Since it is a legitimate site that is loaded, it is not blocked by security software or two-factor authentication protections. Users won't see any differences between the loaded site and the site loaded in a web browser. Phishing sites may look different than the original website; this may happen during development, but also when changes are made to the legitimate site.
The GitHub project page demonstrates how a custom-built WebView2 application is used to steal all user input with the help of an injected keylogger. Since this happens in the background, most users should be unaware that every key they activate is logged and sent to the attacker.
While that may lead to successful account compromisations on its one, it does not provide access to accounts that are protected using two-factor authentication systems.
The attack does not stop at this point, however. WebView2 comes with built-in functionality to extract cookies. The attacker may steal authentication cookies, and it is simply a matter of waiting for the login to complete. Cookies are provided in base64 format, but it is trivial to decode the data to reveal the cookies.
If that was not bad enough, WebView may be used to steal all cookies from the active user. One of WebView2's capabilities is to launch with "an existing User Data Folder" instead of creating a new one. Using this feature, attackers could steal user data from Chrome or other installed browsers.
Tested in Chrome, the developer was able to steal passwords, session data, bookmarks and other information. All it took was to start WebView2 using the profile location of Chrome to extract all Chrome cookies and transfer them to a remote server on the Internet.
Using the information, the attacker can access web applications, provided that the session is still active and that there are not any other defensive systems in place that may prevent access from new devices. Most of the extracted cookies remain valid until the session expires.
The caveat
The main drawback of this WebView2-based attack is that users need to run the malicious application on the user device. Sign-in to legitimate web services is required to steal the data, but the cookie and session stealing may happen without it.
Other malicious programs may provide attackers with other means to gain access to a user device and its data. The execution of any malicious program leads to disaster from a user's point of view, and many users are still careless when it comes to the execution of programs and the launching of attachments on their devices.
Why go through the length of using the WebView2 attack, when other attacks may be easier to carry out? Mr.dox suggests that the WebView2 attack may provide attackers with additional options, such as running JavaScript code on target sites directly.
Defensive systems, such as antivirus applications, may prevent the launching of malicious Webview2 applications. The demo app, which is available on the researcher's GitHub project site, was not blocked by Microsoft Defender. It includes a keylogger that protocols any key input by the user. A SmartScreen warning was displayed, but it was not prevented from being launched.
Protection against WebView2-based attacks
It all boils down to decade-old security practices when it comes to protection against this type of attack. Not launching applications that come from unknown sources or are not trustworthy is probably the main defensive option. Email attachments and web downloads need to be mentioned specifically here, as it is still common that computer users run these without consideration of the consequences.
Other options include scanning the file with up-to-date antivirus engines, or a service such as Virustotal. Virustotal scans files using dozens of antivirus engines and returns its findings in a matter of seconds to the user.
This seemed interesting, so I grabbed the PoC from mr. dox’s GitHub to try out against Defender’s Endpoint P2 EDR protections. I’m relieved to say that Defender intercepted and blocked the attempted injection of malicious Javascript into the website altogether, preventing any of the malicious code from having any opportunity to execute at all. I was initially concerned that WebView being a MS product, it may be given some breathing room by Defender, happy to be mistaken.
As for those who don’t have a license for Defender’s EDR capabilities, MDAC – Microsoft Defender App Control (formerly WDAC or Windows Defender App Control) can be leveraged quite handily, as it now offers Multipolicy support (up to 32 concurrent policies in the Multipolicy format). MS provides a free App Control Template creation wizard GUI you can download from their documentation that makes composing the policy statements a breeze as it basically does it for you, allowing one to put in effect a highly tailored and immensely air-tight runtime environment. It becomes all but impossible for any binary or script to execute originating from anywhere that you are not already aware of as being safe. Any process that spawns unexpectedly (as result of opening an attachment for example) simply isn’t allowed to execute in any manner. It so easily covers such a broad attack surface, you’re soon left with only trivial security concerns like is a program you downloaded inherently malicious or not, most if not all of which is covered by Defender or any other anti-malware solution for you.
It’s worth noting that running MDAC on its own leaves it open to being completely disarmed by highly sophistocated malware or attackers. You need to be running a Windows 10/11 Enterprise SKU to allow you to enable the Virtualization Based Security (HVCI) mechanisms that completely protect and prevent any malware or attack from being able to interfere with MDACs operational integrity and capability.
Would something like Keyscrambler by qfxsoftware.com help, in blocking/fooling the keylogger?
For several years now I haven’t allowed cookies to persist or allowed js to be enabled by default. You do that and you defeat almost every one of these kinds of exploits.
Some downloads are small stubs. When run these download the programs. I run a third party offline Virus Check after installing these. Another safety aspect that seems to go unconsidered is the use of a password manager. They match URLs, not website look and feel. They mismatch on minor changes fallible humans overlook.
I don’t believe a password manager would be of help here, since it is, in fact, the original URL being loaded, but with additional JavaScript being loaded to capture keystrokes – this won’t be detected by the password manager.