Security researchers and intrusion testers have recently developed a unique phishing strategy that gives a phishing attack near invisibility. The attack is called Browser-in-the-Browser (BitB), which can gather numerous users’ sensitive information.
The BitB attack can target third-party single sign-in options on sites that endorse windows for authentication, such as signing in with Google, Apple, Microsoft, and Facebook.
Researchers claimed that it is highly possible for threat actors to completely fabricate a compromised version of a pop-up window to deceive several targets into releasing necessary credentials and information. Based on the researchers’ study, they fabricated a log-in window pop-up for Canva by utilising CSS/HTML.
The fabricated pop-ups impersonate a browser window within the browser and simulate an exact domain. They said that the pop-up is a persuasive phishing attack that can fool many individuals.
If a victim accesses a hacker-owned website that will use this kind of phishing attack, there is a high chance that they will enter their credentials since the site looks legitimate. Therefore, it is also probable that users will give up their credentials to the website owner.
The researcher also said that the Browser-in-the-Browser attack could have multiple capabilities.
The researchers combined the Browser-in-the-Browser window design with an iframe pointing towards the malicious server, which hosts the phishing page.
BitB’s developers also used JavaScript to portray the window on a button and a link or page loading screen. The sample is that the JQuery JavaScript library can manifest the window to appear as visually appealing as possible to convince and attract more users.
The BitB attack can also confuse users who usually log onto pop-up browsers. Lastly, if the user permits the JS, the security safeguard will not conduct its purpose and can be bypassed by malware effortlessly.
The Browser-in-the-Browser attack can evade a URL with HTTPS encryption and security checks. Moreover, using username, password, and the discovered attack will easily exploit 2FA. Security researchers suggest that users use secure proof of identity through a registered device or token to stay protected.