A new phishing technique known as the browser-in-the-browser (BitB) attack can be used to mimic a valid site by simulating a browser window within the browser, making it easier to perform convincing phishing attacks.
The approach makes use of third-party single sign-on (SSO) alternatives like “Sign in with Google” (or Facebook, Apple, or Microsoft) that are integrated on websites.
While the typical behavior when a user tries to sign in is to be greeted by a pop-up window to finish the authentication procedure, the BitB attack intends to recreate this entire process using a combination of HTML and CSS code to produce a totally fabricated browser window.
How it works
Typically, a user will check to verify if the URL is legitimate, whether the website is utilizing HTTPS, and whether the domain has any homographs, among other things, to detect a phishing site.
Everything appears to be in order in this scenario because the domain is steamcommunity[.]com, which is legal and uses HTTPS. However, when we try to drag this prompt out of the current window, it disappears beyond the boundary of the window because it is not a real browser pop-up and was made in the current window using HTML.
While this strategy makes mounting effective social engineering operations much easier, it”s important to note that potential victims must be routed to a phishing domain that can display a false authentication window for credential harvesting.
However, after the victim has arrived at the attacker”s website, they will feel at peace as they enter their credentials on what appears to be a legitimate website.
Since this attack is near impossible to detect it is advised to have multifactor authentication enabled on all accounts.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: New Browser-in-the-Browser Attack.pdf
Vaas, Lisa. (21st March 2022). Browser-in-the-Browser Attack Makes Phishing Nearly Invisible. Retrieved from Threat Post: https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/
Lakshmanan, Ravie. (21st March 2022). New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable. Retrieved from Bleeping Computer: https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html