Browser-in-Browser Attacks: A Devastating New Phishing Technique Emerges
A phishing technique called Browser in the Browser (BITB) has emerged and is already targeting government entities, including Ukraine. Find out how to protect yourself against this new threat.
Phishing for credentials is a common threat that has been around for many years. It uses different social engineering techniques to persuade an unsuspecting user to click on a link or open a document and provide their credentials, which are then sent to the attacker. Now, a new phishing technique was recently exposed by a penetration tester and security researcher known as “mr.d0x” on their website.
What are BITB attacks?
Browser-in-browser attacks involve simulating a browser window in the browser to spoof a legitimate domain. The attack takes advantage of third-party single sign-on (SSO) option, which has become increasingly common for users to log in to many different websites. The principle is quite simple: the user connects to a website, which in turn opens a new browser window that requests credentials from Google, Apple, Microsoft or other third parties, to allow the login user (Figure A). This benefits the user as he does not need to remember or use any additional password to log into the website.
This is where the BITB attack comes in. In a BITB attack, the user receives a fraudulent pop-up that will ask for their SSO password. The main difference with a usual phishing case is that in addition to opening this window, it can display any URL, including a legitimate URL (Figure B).
The trick works well. People have gotten so used to this authentication model that they don’t pay much attention to it and just type in their credentials to log in.
SEE: Cyber Threat Intelligence Software: How to Choose the Right CTI Tools for Your Business (TechRepublic)
How it works?
In this attack, as with regular phishing, the threat actor must first ask the user to visit a malicious or compromised page. To lure the user to the fraudulent page, attackers usually choose to send links via emails or instant messaging software. This page will contain an iframe pointing to the malicious server hosting the phishing page.
According to mr.d0x, “once arriving at the website owned by the attacker, the user will be comfortable entering their credentials on what appears to be the legitimate website (because the Trusted URL says so).”
Attacks already seen in nature
Google’s Threat Analysis Group (TAG) has reported a new attack campaign from well-known actor Ghostwriter. The threat actor is from Belarus and deployed BITB attacks with the phishing pages hosted by a compromised website. After a user provides their credentials, they are sent to a remote server controlled by the attacker. Some of the recently observed phishing domains used by Ghostwriter focus on Ukraine.
We suspect that many more malicious actors will quickly adapt and use this new technique in their attack campaigns.
SEE: Best encryption software 2022 (TechRepublic)
It seems unreasonable to ask users to stop using SSO. They got used to it and it works well in most cases. Adding multi-factor authentication (MFA) is a good way to improve the security of SSO authentication, but it could still be circumvented by attackers, using malware, for example. When it comes to increasing security in phishing cases, the best MFA solutions are hardware devices or tokens.
Using password managers could also help in the specific case of BITB attacks. Since the phishing page is actually not a real browser window, password managers with auto-complete options might not react to it, alerting the user who will wonder why the auto-complete feature -automatic does not work.
The best ways to avoid BITB attacks are actually the same as regular phishing. Users should not click on any links or attachments from unknown sources via email or instant messaging software. If in doubt about an email from a seemingly legitimate entity or colleague, the user should call and verify that they are the sender and that the shared link or file is safe .
Anti-phishing solutions should also be deployed and used. If possible, these solutions should make it easy for the user to report to IT or even anti-phishing organizations.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.