A penetration tester and security researcher created a novel phishing technique that makes phishing nearly invisible. The attack, dubbed Browser-in-the-Browser (BitB), can acquire sensitive information of users.
About BitB attack
According to the researcher named mr.d0x, BitB attack targets third-party single sign-on options on websites that offer popup windows for authentication, such as sign-in with Facebook, Google, Apple, or Microsoft.
- The researcher believes that it is possible to completely fabricate a malicious version of a popup window to trick the target into giving up information.
- They fabricated a log-in window for Canva using basic HTML/CSS.
- The fake popups simulate a browser window within the browser and subsequently spoof a legitimate domain, which leads to convincing phishing attacks that fool the target.
Once a victim visits the attacker-owned website, they may enter their credentials on a site that appears legitimate, ultimately, giving up their credentials to attackers.
More details
- The researcher combined a pop-up window design with an iframe pointing to the malicious server hosting the phishing page.
- Further, the use of JavaScript can make the window appear on a link and button click or page loading screen.
- For example, the JQuery JavaScript library can make the window appear visually appealing or bouncy.
- Moreover, the attack can confuse those who use the trick of hovering over a URL to find out its legitimacy. If JavaScript is permitted, this security safeguard can be bypassed easily.
Conclusion
The novel BitB attack bypasses both a URL with HTTPS encryption and a hover-over-it security check. Further, the use of username and password along with 2FA is completely exposed to such attacks. To stay protected, researchers suggest using secure proof of identity via a registered device or token.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1e9c_shutterstock_539727217.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_389659237.jpg)
