New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable


A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.

According to penetration tester and security researcher, who goes by the handle mrd0x_, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

Automatic GitHub Backups

While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.

Browser-in-the Browser

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” mrd0x_ said in a technical write-up published last week. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”

Prevent Data Breaches

While this method significantly makes it easier to mount effective social engineering campaigns, it’s worth noting that potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting.

“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x_ added.

Products You May Like

Articles You May Like

Watching out for the fakes: How to spot online disinformation
FBI Issues Alert on Russian Threats Targeting Ubiquiti Routers
Authorities Claim LockBit Admin “LockBitSupp” Has Engaged with Law Enforcement
Deceptive AI content and 2024 elections – Week in security with Tony Anscombe
White House Urges Tech Industry to Eliminate Memory Safety Vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *