A penetration tester and security specialist came up with a new phishing approach that makes phishing almost undetectable. Browser-in-the-Browser (BitB) is a type of attack that can collect sensitive information from users.
Regarding the BitB assault
BitB attack targets third-party single sign-on choices on websites that offer popup windows for authentication, such as sign-in with Facebook, Google, Apple, or Microsoft, according to researcher mr.d0x.
According to the researcher, it is conceivable to totally construct a malicious version of a popup window in order to dupe the target into providing information.
Using basic HTML/CSS, they created a Canva log-in box.
The phoney popups imitate a browser window within the browser and then mimic a valid domain, resulting in convincing phishing assaults that deceive the target.
When a victim visits an attacker-controlled website, they may input their credentials on a seemingly genuine site, ultimately handing over their credentials to the attackers.
A pop-up window design was paired with an iframe connecting to the malicious server hosting the phishing website by the researcher.
Both an HTTPS-encrypted URL and a float security check are bypassed by the innovative BitB attack. Furthermore, using a username and password with 2FA leaves you entirely vulnerable to such assaults. Researchers recommend adopting secure evidence of identity such as a registered device or token to be safe.