Browser-in-the Browser (BITB) – A New Born Phishing Methodology
By Keyur TalatiPublished On March 25, 2022
There is no one who we can trust in this digital age! Phishing has become a prevalent assault in the previous decade, with the attacker using a false login screen to acquire users’ credentials. A novel phishing technique called Browser-in-the-Browser (BITB) takes advantage of third-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple, or Microsoft.
Tradition Phishing techniques
[ Image -1: Old Phishing Method ]
We can see the phishing page for the domain https://accounts.google.com/ in the image above. Security researchers can locate the phishing page using their domain name or a phony URL in this form of phishing assault.
As a result, it was rather simple to detect the phishing page using the URL.
Modern Phishing techniques: Browser-in-the-Browser (BITB) Attack
A security researcher [mr.d0x] discovered one way that hackers can employ to obtain user credentials to make the phishing attempt harder to detect. An attacker launches a phishing assault using the browser’s popup function in this form of the phishing attack. Anyone can make false website pages that seem just like legitimate login pages with the help of basic scripting. They build a CSS+HTML code that looks just like the real pages because the new Popup windows have no URL.
[ Image -2: Browser-in-the-Browser]
[ Image -3: No Difference between real and phishing site ]
Because there is no discernible difference between the two photos, identifying the true site for verification is extremely challenging. Also, some web apps use a windows pop-up function for authentication, thus users should expect pop-ups in their browsers.
The site’s look and URL will be identical to the real website in this type of assault. As a result, finding the discrepancies will be difficult.
Be Aware: For now, public exploits are available for Mac OS Chrome and Windows Chrome browser.
The sole defense against this type of modern phishing attack is awareness. Ensure to arrange “Employee Security Awareness Programs” offered by WeSecureApp. Let WeSecureApp organize all your cyber-security challenges. Get aggressive security services by just clicking below. We look forward to hearing from you.