What Is a Browser-in-the-Browser (BitB) Attack?

Browser-in-the-Browser Attack

A browser-in-the-browser (BitB) attack is a new phishing technique that simulates a login window with a spoofed domain within a parent browser window to steal credentials. This attack primarily exploits the single sign-on (SSO) authentication model, which allows users to log in to different websites using their existing accounts from services like Google, Facebook, or Microsoft.

The BitB attack is different from traditional phishing attacks, where the user is redirected to a fake website that mimics the appearance of a legitimate one. In a BitB attack, the user stays on the original website, but sees a pop-up window that looks like it belongs to the service they want to use for SSO. However, this pop-up window is actually created by the attacker using HTML, CSS, and JavaScript tools, and can display any URL, including a legitimate one, to trick the user into thinking they are on a safe page.

What Is a Browser-in-the-Browser (BitB) Attack?

A browser-in-the-browser (BitB) attack is a new phishing technique that simulates a login window with a spoofed domain within a parent browser window to steal credentials. This attack primarily exploits the single sign-on (SSO) authentication model, which allows users to log in to different websites using their existing accounts from services like Google, Facebook, or Microsoft.

How does a Browser-in-the-Browser Attack Work?

To carry out a BitB attack, the attacker needs to lure the user to visit a malicious or compromised website that contains the phishing page hosted on the attacker’s server. The phishing page then creates a pop-up window using JavaScript code that simulates the appearance and behavior of a browser window, and displays a fake login form that matches the service that the user wants to use for SSO.

How to Protect Yourself Against BiTB Attacks?

There are some steps that users can take to protect themselves from this attack:
– Try to resize the window. If you are unable to, it is likely a fake browser window.
– Fake BiTB browser windows might not behave as expected if you close/minimize/maximize them.
– The look-and-feel of fake browser windows might not match your operating system, browser theme, etc.
– Pay attention to the details of the pop-up window, such as the size, position, appearance and behavior of the elements. If something looks off or unusual, you should close the window and report it.
– In general, be careful when clicking on links or opening documents from unknown or suspicious sources. 
– Use a security-focused browser extension that can detect and block such phishing attempts automatically.
– Keep your browser up to date with the latest security patches and update whenever prompted by your browser. 
– Make sure you have 2FA enabled for all of your critical services.

The BitB attack is very effective because it takes advantage of users’ familiarity and trust in the SSO authentication model, and their lack of attention to browser details. If the user enters their credentials in the fake pop-up window, they are sent to the attacker’s server, while the user may be redirected to the real service or shown an error message.

How does a Browser-in-the-Browser Attack Work?

To carry out a BitB attack, the attacker needs to lure the user to visit a malicious or compromised website that contains the phishing page hosted on the attacker’s server. The phishing page then creates a pop-up window using JavaScript code that simulates the appearance and behavior of a browser window, and displays a fake login form that matches the service that the user wants to use for SSO.

The pop-up simulated window can also show any URL that the attacker wants, such as https://accounts.google.com or https://login.microsoftonline.com, by using JavaScript code that modifies the simulated address bar of the pop-up window. The user may not notice that this URL is not actually loaded in the pop-up window, but only shown as an image or text. The user may also not notice that the pop-up window does not have an SSL certificate or other security indicators that would normally appear in a browser window.

If the user falls for the BitB attack and enters their credentials in the fake login form, they are sent to the attacker’s server via an AJAX request or a hidden form submission. The attacker can then use these credentials to access the user’s account on the real service, or launch further attacks such as identity theft or account takeover.

Real-World Examples of BitB Attacks

The BitB attack was first discovered and described by an infosec researcher and pentester known as mr.d0x on their website in April 2022. They demonstrated how this attack could be used to spoof Google’s SSO login page and steal users’ credentials.

Hackers recently used a ‘Browser–in–the–Browser’ to target Steam credentials: “It has a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two–factor authentication.” Some of the Steam accounts stolen in these campaigns were reportedly valued between $100,000 and $300,000. 

Furthermore, Ghostwriter, a Belarus-based operator of a disinformation campaign in Europe, is using browser-in-the-browser to target organizations in Ukraine and other countries. The campaign is one of several tied to Ukraine that Google has been observing from various threat actors, including nation-state-backed groups from Iran, China, North Korea, and Russia, as well as criminal and financially motivated groups.

How to Protect Yourself Against BiTB Attacks?

The BitB attack is a sophisticated and dangerous phishing technique that can bypass many traditional security measures and deceive even vigilant users. However, there are some steps that users can take to protect themselves from this attack:

  1. Try to resize the window. If you are unable to, it is likely a fake browser window.
  2. Fake BiTB browser windows might not behave as expected if you close/minimize/maximize them.
  3. The look-and-feel of fake browser windows might not match your operating system, browser theme, etc.
  4. Pay attention to the details of the pop-up window, such as the size, position, appearance and behavior of the elements. If something looks off or unusual, you should close the window and report it.
  5. In general, be careful when clicking on links or opening documents from unknown or suspicious sources. 
  6. Use a security-focused browser extension that can detect and block such phishing attempts automatically.
  7. Keep your browser up to date with the latest security patches and update whenever prompted by your browser. 
  8. Make sure you have 2FA enabled for all of your critical services.

Prevent Browser-in-the-Browser Attacks with Perception Point

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.

Contact us for a demo of our Advanced Browser Security solution, today.

state of phishing demo cta