Ever wanted to become a phisher? It’s easier than ever with a new downloadable kit.

The phishing kit allows anyone to download the templates needed to create fake versions of single sign-on login forms – the mini browser windows that pop up to allow users to log in to a third-party site with their accounts on services such as Google, Apple or Twitter.

Not only are these phishing browsers easy to create, but they are also incredibly difficult to spot and could fool even an experienced tech who could easily spot most other phishing schemes.

How it works

The kit was created by a security researcher, mr.d0x, who published it on GitHub. The researcher referred to the new form of phishing attack as a “Browser in the Browser” (BitB) attack.

Models in the kit include Google Chrome for Windows and Mac, with dark and light mode versions available.

Phishers will still have to lure a victim to a fake login page, but once they click the button to login, they’ll see an image rendered with custom HTML and CSS to look like a browser popup.

Oh That’s Bad: Browser In The Browser (BITB) Attack, a new phishing technique that steals credentials that even a web professional can’t detect. #Security https://t.co/cxU83DMezt pic.twitter.com/m9eYOmq0al

— François Zaninotto 🇺🇦 (@francoisz) March 18, 2022

URL extraction

A big part of what makes this trick so compelling is that the URL — the place cybersecurity training tells everyone to check for misspellings or hidden custom subdomains — can be forged.

The apparent browser popup is not actually a real popup, so the URL can say whatever the phisher wants.

How convincing are they? Looked.