Home > Cyber News > New Browser-in-the-Browser Technique Makes Phishing Indistinguishable

New Browser-in-the-Browser Technique Makes Phishing Indistinguishable

New Browser-in-the-Browser Technique Makes Phishing Indistinguishable
Browser-in-the-browser (BitB) is a new type of attack that can be leveraged to simulate a browser window within the browser to spoof a legitimate domain. The technique can be used to perform credible phishing attacks.

Browser-in-the-Browser Phishing Technique Explained

Discovered by a penetration tester known as mr. d0x, the technique leverages third-party single sign options typically embedded on websites, such as Sign in with Facebook or Google.

“Quite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window that asks us to authenticate,” mr. d0x said. The BitB attack aims to replicate this process by using a combination of HTML and CSS code, creating a bogus but believable browser window. He combined the window design with an iframe pointing to the malicious server that hosts the malicious page. The result is “basically indistinguishable”.

“JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc. And of course you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery,” he added.

The researcher has created templates for Windows and macOS for the Chrome browser in both Light and Dark mode. This technique significantly improves phishing schemes, making them very difficult to detect. The targeted user only needs to land on the fabricated site for the pop-up window to be displayed to reveal their credentials.

Learn more about the technique from the original technical write-up.

Last year, phishing operators created specific obfuscation technique that uses Morse code to conceal malicious URLs within an email attachment. This is perhaps the first case of threat actors utilizing Morse code in such a way.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree