A penetration tester and security specialist came up with a new phishing approach that makes phishing almost undetectable. Browser-in-the-Browser (BitB) is a type of attack that can collect sensitive information from users.
Regarding the BitB assault
BitB attack targets third-party single sign-on choices on websites that offer popup windows for authentication, such as sign-in with Facebook, Google, Apple, or Microsoft, according to researcher mr.d0x.
According to the researcher, it is conceivable to totally construct a malicious version of a popup window in order to dupe the target into providing information.
Using basic HTML/CSS, they created a Canva log-in box.
The phoney popups imitate a browser window within the browser and then mimic a valid domain, resulting in convincing phishing assaults that deceive the target.
When a victim visits an attacker-controlled website, they may input their credentials on a seemingly genuine site, ultimately handing over their credentials to the attackers.
More information
A pop-up window design was paired with an iframe connecting to the malicious server hosting the phishing website by the researcher.
Furthermore, the usage of JavaScript can cause the window to appear when a link or button is clicked, or when a website is loaded.
The JQuery JavaScript library, for example, may make the window look aesthetically pleasing or bouncing.
Furthermore, users who utilise the lingering over a URL to determine its authenticity may be confused by the assault. This security feature can be readily circumvented if JavaScript is enabled.
Conclusion
Both an HTTPS-encrypted URL and a float security check are bypassed by the innovative BitB attack. Furthermore, using a username and password with 2FA leaves you entirely vulnerable to such assaults. Researchers recommend adopting secure evidence of identity such as a registered device or token to be safe.