A penetration tester and security researcher created a novel phishing technique that makes phishing nearly invisible. The attack, dubbed Browser-in-the-Browser (BitB), can acquire sensitive information of users.
About BitB attack
According to the researcher named mr.d0x, BitB attack targets third-party single sign-on options on websites that offer popup windows for authentication, such as sign-in with Facebook, Google, Apple, or Microsoft.
The researcher believes that it is possible to completely fabricate a malicious version of a popup window to trick the target into giving up information.
They fabricated a log-in window for Canva using basic HTML/CSS.
The fake popups simulate a browser window within the browser and subsequently spoof a legitimate domain, which leads to convincing phishing attacks that fool the target.
Once a victim visits the attacker-owned website, they may enter their credentials on a site that appears legitimate, ultimately, giving up their credentials to attackers.
The researcher combined a pop-up window design with an iframe pointing to the malicious server hosting the phishing page.
The novel BitB attack bypasses both a URL with HTTPS encryption and a hover-over-it security check. Further, the use of username and password along with 2FA is completely exposed to such attacks. To stay protected, researchers suggest using secure proof of identity via a registered device or token.