"Browser in the browser" Phishing

Posted on 2022-03-27 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]A security researcher has recently introduced a technique to make intercepting credentials via phishing even more efficient. He calls the technique BitB, short for "browser in the browser". A fake browser window is displayed within a real login page in order to fake an OAuth login page. This allows login data to be tapped without the user being aware of it.

Advertising

I had already seen the attack method on The Hacker News in the post New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable the other day. German blog reader Alexander W. also brought this to my attention by email (thanks for that).

I just came across the following article on a sophisticated phishing method:

Behold, a password phishing site that can trick even savvy users

Perhaps a topic for your blog.

A security researcher who uses the name mr.d0x on Twitter made the whole thing public in mid-March in the following tweet.

The security researcher describes the whole technique in the blog post Browser In The Browser (BITB) Attack and has provided corresponding templates on GitHub.

Problem: OAuth login window

Many users are familiar with the possibility of logging into a website via OAuth using Google, Microsoft, Apple, etc.. Then, a pop-up window often appears asking the user to authenticate via their account with Google, Microsoft, Apple, etc. Such an authentication can be seen below.

Advertising

OAuth popup
OAuth Popup, Source: mr.d0x

The login window displayed during this login shows the URL of the OAuth service in the address bar and requests the user to enter the login data. If the login is successful, an OAuth token is then returned for logging into the desired target page. However, it is quite easy for phishers to replicate the entire window design with basic HTML/CSS.

When the window design is combined with an iframe pointing to the malicious server hosting the phishing page, it is essentially indistinguishable from the original login. In the tweet above, the image shows the fake window compared to the real window. Very few people will notice the slight differences between the two variants.

BIBP demo
Demo of the attack

The animated image above shows an example of such an attack. The security researcher describes the details of this approach in his article and has published two templates for Windows and macOS as examples on GitHub. On Twitter someone writes that he has seen this technique being used for months in phishing attacks to steal Steam login data.

Advertising
This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).