A new phishing campaign is targeting mobile banking users in the Czech Republic, exploiting Progressive Web Applications (PWAs) to steal banking credentials. The attack, uncovered by Slovak cybersecurity firm ESET, has already targeted clients of banks in Czechia, Hungary and Georgia.

The phishing campaign employs a variety of delivery mechanisms, including automated voice calls, SMS messages, and malvertising on social media platforms like Facebook and Instagram. Once a user is tricked, they are prompted to install a malicious PWA or WebAPK, depending on their device’s operating system.

PWAs are essentially websites packaged to appear as standalone apps.

On iOS, victims are guided to add the PWA to their home screen through a seemingly legitimate system prompt. On Android, the PWA is installed after the user confirms custom browser pop-ups.

The attackers also utilized social media platforms to spread their malicious software. By registering advertisements on Meta platforms, such as Facebook and Instagram, they could target specific demographics with offers to download fake banking app updates. These ads would appear in the victims' social media feeds, further legitimizing the phishing attempt.

The phishing technique was first disclosed by Poland’s CSIRT KNF in July 2023. In November 2023, ESET analysts observed the attack in the Czech Republic, specifically targeting clients of CSOB. Additionally, two similar campaigns were identified targeting OTP Bank in Hungary and TBC Bank in Georgia.

ESET's analysis believe that the observed campaigns are likely the work of two different threat actors, based on the command-and-control (C&C) servers and backend infrastructure involved.