New Phishing Toolset Allows for Browser in the Browser (BitB) Attacks
Hackers May Now Generate Successful Single Sign-On Phishing Login Forms Using Bogus Chrome Browser Windows.
When logging onto websites, users often have the choice of signing in with Google, Microsoft, Apple, Twitter, or even Steam.
A single-sign-on (SSO) browser window will open, inviting the user to input their credentials and log into their account when clicking the Login in Google or login in App buttons.
While the address bar is blocked in these SSO windows, the user may still use the displayed URL to verify if it’s logged in through a real google.com domain. This URL further establishes the form’s trustworthiness, allowing for the input of login credentials with confidence.
This is where a new “Browser in the Browser (BitB) Attack” comes into play, which utilizes pre-made templates to build phony but realistic Chrome popup windows with configurable address URLs and names for use in phishing assaults.
As BleepingComputer reports, this exploit produces bogus browser windows within legitimate browser windows (Browser in the Browser) in order to conduct convincing phishing assaults.
Mr.d0x, a security researcher, designed the Browser in the Browser attack templates and made them available on GitHub. According to Mr.d0x, the templates are very easy to use in order to create convincing Chrome windows that show single sign-on login forms for any website.
Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it is basically indistinguishable. The image below shows the fake window compared to the real window. Few people would notice the slight differences between the two.
According to the researcher, red teamers could simply download the templates, alter them to include the appropriate URL and window title, and then show the login form through an iframe.
With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).
However, now that prefabricated Chrome window templates are accessible, red teamers may use them to generate convincing phishing sign-in forms to assess their customers’ or own company’s workers’ defenses.