{"id":23866,"date":"2022-03-27T08:30:32","date_gmt":"2022-03-27T06:30:32","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=23866"},"modified":"2022-03-27T08:30:32","modified_gmt":"2022-03-27T06:30:32","slug":"browser-in-the-browser-phishing-methode","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/03\/27\/browser-in-the-browser-phishing-methode\/","title":{"rendered":"&quot;Browser in the browser&quot; Phishing"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/03\/27\/browser-in-the-browser-phishing-methode\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]A security researcher has recently introduced a technique to make intercepting credentials via phishing even more efficient. He calls the technique BitB, short for \"browser in the browser\". A fake browser window is displayed within a real login page in order to fake an OAuth login page. This allows login data to be tapped without the user being aware of it.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg02.met.vgwort.de\/na\/4608d4ed17a04793bcd25451f498b026\" width=\"1\" height=\"1\">I had already seen the attack method on The Hacker News in the post <a href=\"https:\/\/thehackernews.com\/2022\/03\/new-browser-in-browser-bitb-attack.html\" target=\"_blank\" rel=\"noopener\">New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable<\/a> the other day. German blog reader Alexander W. also brought this to my attention by email (thanks for that). <\/p>\n<blockquote>\n<p>I just came across the following article on a sophisticated phishing method:  <\/p>\n<p><a href=\"https:\/\/arstechnica.com\/information-technology\/2022\/03\/behold-a-password-phishing-site-that-can-trick-even-savvy-users\/\" target=\"_blank\" rel=\"noopener\">Behold, a password phishing site that can trick even savvy users<\/a>  <\/p>\n<p>Perhaps a topic for your blog. <\/p>\n<\/blockquote>\n<p>A security researcher who uses the name <em>mr.d0x <\/em>on Twitter made the whole thing public in mid-March in the following <a href=\"https:\/\/twitter.com\/mrd0x\/status\/1503801717414105089\" target=\"_blank\" rel=\"noopener\">tweet<\/a>.  <\/p>\n<p><a href=\"https:\/\/twitter.com\/mrd0x\/status\/1503801717414105089\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"\" alt=\"\" src=\"https:\/\/i.imgur.com\/fMDqaWT.png\" width=\"536\" height=\"641\" phishing? browser? the in Browser><\/a>  <\/p>\n<p>The security researcher describes the whole technique in the blog post <a href=\"https:\/\/mrd0x.com\/browser-in-the-browser-phishing-attack\/\" target=\"_blank\" rel=\"noopener\">Browser In The Browser (BITB) Attack<\/a> and has provided corresponding templates on GitHub. <\/p>\n<h2>Problem: OAuth login window<\/h2>\n<p>Many users are familiar with the possibility of logging into a website via OAuth using Google, Microsoft, Apple, etc.. Then, a pop-up window often appears asking the user to authenticate via their account with Google, Microsoft, Apple, etc. Such an authentication can be seen below. <\/p>\n<p><img decoding=\"async\" title=\"OAuth popup\" alt=\"OAuth popup\" src=\"https:\/\/i.imgur.com\/afCGQXH.png\"><br \/>OAuth Popup, Source: mr.d0x <\/p>\n<p>The login window displayed during this login shows the URL of the OAuth service in the address bar and requests the user to enter the login data. If the login is successful, an OAuth token is then returned for logging into the desired target page. However, it is quite easy for phishers to replicate the entire window design with basic HTML\/CSS. <\/p>\n<p>When the window design is combined with an iframe pointing to the malicious server hosting the phishing page, it is essentially indistinguishable from the original login. In the tweet above, the image shows the fake window compared to the real window. Very few people will notice the slight differences between the two variants.<\/p>\n<p><a href=\"https:\/\/raw.githubusercontent.com\/mrd0x\/BITB\/dbecf5b095af400f0b72aead93f44a4378611847\/demo.gif\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"BIBP demo\" alt=\"BIBP demo\" src=\"https:\/\/raw.githubusercontent.com\/mrd0x\/BITB\/dbecf5b095af400f0b72aead93f44a4378611847\/demo.gif\" width=\"659\" height=\"512\"><\/a><br \/>Demo of the attack<\/p>\n<p>The animated image above shows an example of such an attack. The security researcher describes the details of this approach in <a href=\"https:\/\/mrd0x.com\/browser-in-the-browser-phishing-attack\/\" target=\"_blank\" rel=\"noopener\">his article<\/a> and has published two templates for Windows and macOS as examples on <a href=\"https:\/\/github.com\/mrd0x\/BITB\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>. On Twitter someone writes that he has seen this technique being used for months in phishing attacks to steal Steam login data. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A security researcher has recently introduced a technique to make intercepting credentials via phishing even more efficient. He calls the technique BitB, short for \"browser in the browser\". A fake browser window is displayed within a real login page in &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/03\/27\/browser-in-the-browser-phishing-methode\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-23866","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=23866"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23866\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=23866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=23866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=23866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}