Browser-in-the-browser (BitB) is a new type of attack that can be leveraged to simulate a browser window within the browser to spoof a legitimate domain. The technique can be used to perform credible phishing attacks.
Browser-in-the-Browser Phishing Technique Explained
Discovered by a penetration tester known as mr. d0x, the technique leverages third-party single sign options typically embedded on websites, such as Sign in with Facebook or Google.
“Quite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window that asks us to authenticate,” mr. d0x said. The BitB attack aims to replicate this process by using a combination of HTML and CSS code, creating a bogus but believable browser window. He combined the window design with an iframe pointing to the malicious server that hosts the malicious page. The result is “basically indistinguishable”.
“JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc. And of course you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery,” he added.
The researcher has created templates for Windows and macOS for the Chrome browser in both Light and Dark mode. This technique significantly improves phishing schemes, making them very difficult to detect. The targeted user only needs to land on the fabricated site for the pop-up window to be displayed to reveal their credentials.
Learn more about the technique from the original technical write-up.
Last year, phishing operators created specific obfuscation technique that uses Morse code to conceal malicious URLs within an email attachment. This is perhaps the first case of threat actors utilizing Morse code in such a way.