A new phishing technique known as the Browser-in-The-Browser (BitB) attack can be used to spoof a legit domain by simulating a browser window within the browser, making it easier to carry convincing phishing attacks.
The method, according to mrd0x, a penetration tester and security researcher on Twitter, takes advantage of third-party Single Sign-On (SSO) options embedded on websites like “Sign in with Google” (or Facebook, Apple, or Microsoft).
While the default behaviour when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.
mrd0x said in a technical write-up published last week “Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,”
“JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”
It’s worth noting that the technique has been employed in the wild before. Zscaler revealed details of a campaign that used the BitB technique to steal credentials for Steam, a video game digital distribution service, by using fake Counter-Strike: Global Offensive (CS: GO) websites in February 2020.
Zscaler Researcher Prakhar Shrotriya said at the time, “Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others,”
“In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.”
While this method makes mounting effective social engineering campaigns much easier, it’s worth noting that potential victims need to be redirected to a phishing domain that can display a fake authentication window in order for credential harvesting.
mrd0x added “But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),”