New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable (25th March 2022)

Ref# AL2022_21 | Date: Mar 28th 2022

Description  

A new phishing technique known as the browser-in-the-browser (BitB) attack can be used to mimic a valid site by simulating a browser window within the browser, making it easier to perform convincing phishing attacks. 

Summary  

The approach makes use of third-party single sign-on (SSO) alternatives like “Sign in with Google” (or Facebook, Apple, or Microsoft) that are integrated on websites. 

While the typical behavior when a user tries to sign in is to be greeted by a pop-up window to finish the authentication procedure, the BitB attack intends to recreate this entire process using a combination of HTML and CSS code to produce a totally fabricated browser window. 

The window design combined with an iframe pointing to the malicious server hosting the phishing page makes it almost impossible to tell the difference. JavaScript can simply be used to create a window that appears when a link or button is clicked, when a website loads, and so on. 

How it works  

Typically, a user will check to verify if the URL is legitimate, whether the website is utilizing HTTPS, and whether the domain has any homographs, among other things, to detect a phishing site.  

Everything appears to be in order in this scenario because the domain is steamcommunity[.]com, which is legal and uses HTTPS. However, when we try to drag this prompt out of the current window, it disappears beyond the boundary of the window because it is not a real browser pop-up and was made in the current window using HTML. 

While this strategy makes mounting effective social engineering operations much easier, it”s important to note that potential victims must be routed to a phishing domain that can display a false authentication window for credential harvesting. 

However, after the victim has arrived at the attacker”s website, they will feel at peace as they enter their credentials on what appears to be a legitimate website. 

Remediation 

Since this attack is near impossible to detect it is advised to have multifactor authentication enabled on all accounts. 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: New Browser-in-the-Browser Attack.pdf

References