This browser-in-browser attack is perfect for phishing • The Register
A new way to fool people with their passwords has us wondering if we need to rethink the trust we place in our web browsers to protect ourselves and accelerate efforts to close web security holes. .
Earlier this week, an infosec researcher known as mr.d0x described a browser-in-browser (BitB) attack. It’s a way to steal login credentials by simulating small browser windows that Google, Microsoft, and other authentication service providers open and ask for your username and password to continue. You’ve probably seen these windows before: you click something like a “Sign in with Microsoft” button on a website, and a pop-up appears asking for your credentials to access your account or profile.
Services like Google Sign-In will display a Google URL in the navigation bar of the pop-up window, which provides some assurance that the sign-in service is really from a trusted company and not an unknown company. And circumventing defenses built into a user’s browser to trick them into trusting a malicious page tends to be difficult in the absence of an exploitable vulnerability, thanks to browser security mechanisms, including policy settings. content security model and the same origin policy security model.
However, there are methods such as clickjacking or UI patching that alter the appearance of browsers and web pages to trick people into bypassing security checks. A clickjacking attack could, for example, interpose a transparent element over a web page button so that a user’s click event is hijacked for nefarious purposes.
The BitB attack extends this technique by creating an entirely fabricated browser window, including trust signals like a locked padlock icon and a known (but forged) URL. You think you see a real popup, but it’s actually just faked into the page and ready to capture your credentials.
Replicating the entire window design using basic HTML/CSS is quite simple
“Fortunately for us, replicating the entire window design using basic HTML/CSS is pretty straightforward,” says mr.d0x. “Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable.”
This technique, says mr.d0x, makes phishing more effective. Victims would still need to visit a compromised or malicious website to generate the pop-up, but afterwards they will be more likely to submit credentials as nothing seems abnormal.
There are limitations to this approach because while it can fool people, it is unlikely to fool other software. Password managers, for example, probably wouldn’t autofill credentials into a BitB window because they wouldn’t see it as a real browser window.
Nonetheless, BitB has raised concerns among some security researchers as a way to exploit insecurity in the advertising ecosystem. Referring to a study published last year by Adalytics indicating that 70% of major publisher websites fail to sandbox iframes used to serve ads, an ad fraud researcher Augustine Crazy Recount The register that he is concerned that BitB is being used by those serving malicious or malicious advertisements.
“Malicious code can enter through the ad in the iframe, but since the iframe is insecure, it can be injected into the parent page,” he explained. That is, a bad ad could cause a BitB popup to appear on the page, asking for someone’s username and password to harvest.
Adalytics researcher and founder Krzysztof Franaszek said The register it’s a plausible attack vector. When asked how this could be done, he replied, “The simple answer is: you would create an ad creative that has a JS payload. When the ad loads on a user’s device end user and detects that the iframe it loads inside is not sandboxed, it would trigger a popup that looks like a login page.”
“The most complex/thorough answer is that ad networks/exchanges like Google scan and filter creatives, and there are other companies that also try to monitor those creatives for malicious code,” he added. .
“While this type of attack is possible, I don’t think it’s necessarily the most lucrative route for malvertising,” Stein explained. “Malad ad attacks have to somehow be high impact and appeal to the lowest common denominator. And I think that’s why the most disruptive and impactful ad attacks that we typically have views are forced redirects – a fullscreen popup or a fullscreen forced redirect – and those things are usually immediately monetizable.”
A fake login modal, he said, is not going to generate money immediately. Once you get someone’s credentials, then you need to have a process to sell those credentials or use them to get data, rather than getting paid by duped advertising companies .
We have seen a lot of phishing attacks on fake crypto sites that generate this modal using CSS
Stein, however, suggested that BitB is similar to the ways attackers have attempted to gain access to cryptocurrency wallets like MetaMask. “We’ve seen a lot of phishing attacks on fake crypto sites that spawn this modal using CSS,” he said. “So it’s not the real MetaMask but it looks a lot like it and it tries to get you to interact in some way, to enter your seed phrase or do some kind of transaction.”
The challenge of monetizing BitB may make it suboptimal for defrauding advertisers, but it still has security implications given that the US Cybersecurity and Infrastructure Security Agency considers malicious code delivered through ad systems to be a threat to American networks. [PDF].
While Stein said supply-side platforms (SSPs) that serve ads have security systems that scan for malicious code, and there are other mitigating factors related to how publishers set up their websites. , Fou and Franaszek indicated that the security of the advertising ecosystem is often lacking and there are ways to create malicious code to hide from scanners.
Fou said weak SSPs lead the way. “It’s the flaw,” he said, “that allows malicious advertisements to enter the system. The malicious code only activates when it detects movement, a change in orientation, a touch or an IP address. … so it’s extremely difficult for scanners to see that in the wild.” ®