There is no one who we can trust in this digital age! Phishing has become a prevalent assault in the previous decade, with the attacker using a false login screen to acquire users’ credentials. A novel phishing technique called Browser-in-the-Browser (BITB) takes advantage of third-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple, or Microsoft.
As a result, it was rather simple to detect the phishing page using the URL.
A security researcher [mr.d0x] discovered one way that hackers can employ to obtain user credentials to make the phishing attempt harder to detect. An attacker launches a phishing assault using the browser’s popup function in this form of the phishing attack. Anyone can make false website pages that seem just like legitimate login pages with the help of basic scripting. They build a CSS+HTML code that looks just like the real pages because the new Popup windows have no URL.
When a user hovers the mouse pointer over the legal website link, a new phishing window appears, thanks to the “on-hover” JavaScript function.Because there is no discernible difference between the two photos, identifying the true site for verification is extremely challenging. Also, some web apps use a windows pop-up function for authentication, thus users should expect pop-ups in their browsers.
The site’s look and URL will be identical to the real website in this type of assault. As a result, finding the discrepancies will be difficult.
Be Aware: For now, public exploits are available for Mac OS Chrome and Windows Chrome browser.
The sole defense against this type of modern phishing attack is awareness. Ensure to arrange “Employee Security Awareness Programs” offered by WeSecureApp. Let WeSecureApp organize all your cyber-security challenges. Get aggressive security services by just clicking below. We look forward to hearing from you.
Services Offered by WeSecureApp:
Red Team Vs Blue Team Exercises
Keyur Talati
Security Analyst – WeSecureApp