Browser-in-the-browser attack enables undetected phishing campaigns

The browser-in-the-browser attacks come with pre-made templates for fake Chrome pop-ups

Phishing campaigns rely on browser is the browser attacksNew method allows any cybercriminal wannabe to create fake browser window templates

Phishing campaigns now can be undetected because this toolkit allows anyone to create a fake Google Chrome browser window. This phishing kit allows attackers and criminals to create single sign-on login forms using fake Chrome browser windows.[1]

This new method is called BitB – the browser-in-the-browser attack can be exploited easily and simulate the browser window within the browser. This is the way of spoofing a legitimate domain, so the attack is convincing and cannot be detected by AV engines or additional tools.[2]

Security researchers state[3] that the technique takes advantage of the third-party single sign-on options that can be embedded in websites. Sign in with accounts like Google/Facebook/Apple/Microsoft/Twitter are the common examples. User default attempt to sign in via the form triggers the pop-up window with the authentication process.

The attack is aiming to replicate the process using HTML and CSS code mixture. This is how the fabricated browser window allows the phishing attack to happen without causing an alert. The window is only showing the login form, and the address bar shows the URL of the login form, so the simplified appearance allows easy replication.

The combination makes malicious servers and phishing pages indistinguishable

The researchers who analyzed the new technique state that the window design combined with the iframe pointing to the malicious server hosting and phishing page helps mask these campaigns.[4] The worst thing is that phishing mainly acts as the first stage of scam campaigns and other cyber attacks.

But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website

Social engineering attacks get easier and more successfully effective. Victims get redirected to the fake domain, and the authentication window encourages people to type their credentials. This is how criminals harvest various login details for their latter attack campaigns.

Nowel method for phishing campaigns

The new attack toolkit comes into play. Chrome pop-up window includes the custom address URLs and even titles that create the phishing attack. This is the attack that creates fake browser windows within the real browsing session. Convincing phishing campaigns use templates. Some of them were created by the researcher and put on GitHub.[5] These are available for Google Chrome on Windows, Mac devices and even have dark and light mode versions.

These are extremely easy to use in convincing victims with convincing Chrome windows with sign-in forms. Anyone can get the template, alter the URL to the desired address and login forms. Other phishing toolkit creators also state that it can be adapted to steal two-factor authentication keys in these campaigns.

These templates published online can be used by companies, or as sources state – redteamers. This is the way for testing the possible defenses of the sites and clients from phishing attacks like this. Scammers also can use landing pages that automatically get customized and look even more authentic.

Javascript can be used to change elements on the page to match the legitimate site. These chameleon sites can be used for credential stealing and for malware deployment. Scammers, attackers, threat actors, phishers, and other criminals evolve, and companies, social media, developers should keep the defenses up too.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions