One common piece of advice to stay safe on the internet is not to open suspicious email attachments or Linkedin links and bitb attack, as they may steal your information or infect your device with malware. However, there is a new threat called browser-in-the-browser attack, which is difficult to spot, and you can easily become a victim.
In this article, we will delve into the browser-in-the-browser attack and how to protect yourself against it.
Browser-in-the-browser attack explained
This is a type of phishing attack that imitates a browser window within a web browser to steal your data. It manipulates a single sign-on method (SSO) where you will be prompted to log in to a third-party website like Facebook or Google but on a fake window. So, the credentials you enter are sent to the attackers’ servers and not to Facebook or Google. They will use the information to access your accounts and any potentially linked ones.
The problem with this attack is that the sign-in page looks like the legitimate one, so it is difficult to know that you are being scammed.
What is a single sign-on (SSO)?
This is an authentication method that allows you to access multiple accounts with the same credentials. So, for example, you can use existing Facebook, Google, or Microsoft accounts to register on services instead of creating entirely new profiles.
Although this method is convenient and saves time, it is risky. For example, if an anchor account like Facebook or Google is hacked, the attacker will access all the linked accounts. With the BitB attack in mind, your accounts could be vulnerable.
Common examples of BitB attacks
Similar to other phishing scams, the BitB attackers will start to lure you into acting. For instance, they can send you a fake email from a legitimate service with a link to sign in. However, the link takes you to a fake sign-in prompt. Alternatively, you might be using a website owned by the attacker unknowingly that displays a fake SSO sign-in window. These days, many free movies streaming websites such as Moviesjoy (just for an example to give you the name, the site looks safe) havestarted to run same tactics.
How to identify a fake sign-in prompt
As mentioned before, it is difficult to recognize a fake sign-in prompt. This is because hackers can make it look like a legitimate page with the same input fields, URL, and even the logo. They exploit your trust in these services, letting them slip under your nose without noticing. (https://cozumelparks.com/)
However, if you get a pop-up window prompting you to sign in, try to move it. If it is an image that can’t move, that is a red flag, and you should know something is wrong.
Always be cautious when signing in to access any service or site. Try another option if it is not a major website. In addition, examine the site’s legitimacy or whether it is just a fake page that imitates a real one.
How to stay safe against BitB attacks
- Use two-factor authentication on your accounts. Then, even if your login credentials fall into the wrong hands, they won’t be able to get into your accounts without verifying your identity.
- Secures your login credentials with a reliable password manager. Some services will even authenticate the URL of the site before allowing you to sign in.
- Be cautious with single sign-on methods. Don’t do it if it’s not a must to log in to a site. Some sites offer the logging-in option to track your behavior, but you can evade the prompt with a skip or similar button.
- Verify the URL of the site you are signing into. If it isn’t right, it is probably a phishing site.
