A new phishing technique dubbed browser-in-the-browser (BitB) attack allows threat actors to simulate a browser window within a browser, spoofing a legitimate domain and initiating a convincing phishing attack.
A penetration tester and security researcher, known as mrd0x on Twitter, explained how the method takes advantage of third-party single sign-on (SSO) options on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).
The default behaviour sign in methods such as these is to greet users with a pop-up window to complete the authentication process. BitB attacks aim to replicate this process using a mix HTML and CSS code, presenting users with a fabricated browser window.