While reading on the different types of phishing attacks, recently I came across an interesting article by mr.d0x. His article explores the type of attack called Browser in the Browser (BITB). It is a novel phishing attack that exploits the user by simulating a browser window within a browser to spoof a legitimate domain. In simple terms, the pop-up window is used for spoofing.
For all those who want to access the net and be safe, the first thing they will note is to look for whether the website URL shows HTTPS. This will indicate that the site is secured with TLS/SSL encryption.
Of course, as technology develops, cybercrimes also develop with time. The URL method of checking is not reliable for quite some time because of many homographs attacks, DNS hijacking, and more. Now we can add one more attack to this list.
This BITB attack exploits the advantage of the third-party single sign on options (SSO) embedded on websites that issue pop-up windows for authentication. For example, Sign into Facebook, Apple, Google, or Microsoft. And it should be taken into consideration that these kinds of SSO pop-up methods are used widely for authentication.
According to the researcher, mr.d0x, creating a malicious pop-up window is very simple using basic HTML and CCS code. This BITB attack is very hard to find as it looks exactly similar to the original version. The following image shows the side by side by comparing original and fake windows provided in the mr.d0x blog.
As we can see, the imitation of the windows is uncanny. Many security industrialists will also fail to see the difference between the two.
Fortunately, for this kind of attack to initiate, the attacker needs to make the user first visit the malicious site and click on the links to provide the pop-up windows.
By using BITB, stealing the passwords will be very easy. Now let’s see some ways to avoid falling into this malicious attack lose our valuable credentials.
The BITB attack mainly targets SSO, so using Multi-Factor Authentication (MFA) is highly recommended.
Comments are closed.