October 3, 2023

A new phishing technique called browser-in-the-browser (BitB) attack can be used to simulate a browser window in the browser to spoof a legitimate domain, making it possible to launch persuasive phishing attacks. to feed.

The method uses third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google or Facebook, Apple, or Microsoft”, according to the researchers

Usually the default behavior is when a user tries to log in via these methods is greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code. to a completely made-up browser window.


By combining the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable . JavaScripts can be easily used to make the window appear on a link or a button click, on the page being loaded, etc.

This method makes it significantly easier to assemble effectively social engineering campaigns it is worth noting that potential victims should be redirected to a phishing domain that may display such a fake authentication window for credential collection.

“But once they land on the attacker’s website, the user will feel comfortable entering their credentials on what appears to be the legitimate website, Since the url is trusted ” added mrd0x_.

Leave a Reply

%d bloggers like this: