Protect Users from the Browser-in-the-Browser (BitB) Phishing Attack
Browser-in-the-Browser (BitB) Phishing Attack Overview
On March 15, a novel phishing technique, the Browser-in-the-Browser (BitB) attack, was surfaced by twitter user mr.d0x and featured in a technical blog post. This BitB attack is designed to take advantage of third-party single sign-on options that are commonly used to enable users to login to websites using Google, Apple, Microsoft, or Facebook, via a pop-up that captures credentials. The BitB attack replicates this user experience by generating a fake browser window using HTML and CSS code to trick victims into giving up their credentials.
While the BitB attack technique has made headlines in the last couple of weeks, it has been observed in the wild before. In February 2020, zscaler unveiled details of a campaign that leveraged the BitB technique to siphon credentials for video game digital distribution service Steam through fake counter-strike Global Offensive websites.
Impact of BitB
The BitB attack technique can be used to make it even easier and more effective to mount social engineering campaigns meant for credential harvesting. Even though potential victims must first land on a phishing domain with the fake authentication window, once they do, most users won’t think twice about entering their credentials.
Teach Users to Identify a Fabricated Authentication Window
There is an easy method for users to verify whether or not the authentication pop-up is a fake. It simply requires trying to drag the pop-up outside of the content area of the browser. If the pop-up has been fabricated, you will not be able to drag it outside of the browser window and it will stop just at the edge. Legitimate login pop-ups will allow you to move them around more freely, since it is a separate window and is not trapped inside the webpage. You should also be able to access the URL in the address bar if it’s legit. Teaching your end users these simple techniques should be included with other phishing awareness and education campaigns. Your defense is only as strong as your weakest link — don’t let that be someone who falls for the BitB.
zvelo’s PhishBlocklist Coverage
zvelo’s PhishBlocklist clients are protected from the BitB attacks due to proprietary detection techniques designed to identify exactly the type of attacks that target humans with sophisticated social engineering techniques. In order for the BitB attack to work, a user must first land on the attacker-owned website, access to which would be blocked by PhishBlocklist, so the attack is stopped before it can even begin. Unlike a human who attempts to visually validate a suspected phishing URL, PhishBlocklist uses advanced AI to evaluate the technical metadata along with a URL so this type of attack would easily be detected. PhishBlocklist proprietary detection of active phishing threats makes it ideal for protecting web surfing, email, SMS/text and other applications.
zvelo’s Cybersecurity Team is constantly monitoring the latest Cyber Threat Intelligence (CTI) from sources around the world to ensure that our threat intelligence feeds provide unparallelled protection against emerging threats and attack techniques.
