How to Spot a Browser-in-the-Browser Phishing Attack
Between the number and increasing sophistication of phishing campaigns, seeing does not automatically mean believing when browsing online. A particularly sneaky scam is the browser-in-browser (BitB) attack, in which malicious actors create a fake browser window that look at as a trusted single sign-on (SSO) login page within a real browser session.
Since we use SSO to access many of our online accounts, we may not think twice before entering usernames and passwords on these spoofed pages. Cybercriminals rely on this to steal user credentials.
How a browser attack works in the browser
Rather than redirecting users to a spoofed website, bad actors launching a BitB attack create a fake pop-up on the page you’re already on (which may be set up for the attack or compromised in some way). Using HTML, CSS, and JavaScript, they are able to design a login window that looks exactly like the real one, right down to the lock icon and URL in the pop-up’s address bar.
These fake login windows usually appear transparently, for example after a click or redirect that should lead to SSO. Obviously, entering your credentials hands them directly to attackers, who can use or sell them.
Fraudulent pop-ups often imitate SSOs such as Google, Apple and Microsoft, although they can exploit any login portal. Earlier this year, Silent Push researchers identified a BitB phishing campaign targeting Steam users, particularly those playing Counter-Strike 2. Players saw a fake browser pop-up displaying the URL of the real Steam portal, making them more likely to enter their credentials without suspicion. The attackers also presented the portraits of eSports team NAVI to provide credibility.
Signs of a BitB Scam
Since bad actors are able to imitate trusted login pages so closely, including using the real domain in the address bar, visual inspection may not be enough to detect fraud. Instead, you have to interact with the window in some way.
What do you think of it so far?
In many cases, a real SSO pop-up can be moved off the browser page it appears on, so you might want to try moving it elsewhere on your screen first. However, some SSO dialogs are static. If you can’t drag them, try highlighting the URL or clicking the lock icon to view the certificate details. If these elements are wrong, you won’t be able to interact with them at all because the window itself is just an image.
This is also a great reason to use a secure password manager to populate your credentials instead of entering them manually. A password manager will only work on the legitimate domain. If it doesn’t auto-populate, don’t auto-replace it: verify that the pop-up is real.
You should also enable a strong form of multi-factor authentication (MFA) wherever possible, so that even if your username and password are compromised in some way, attackers won’t have the extra factor needed to actually access your account. Note that hackers can still phish some forms of authentication: physical keys, along with biometrics and passwords, are the most secure options.
