What is a browser in browser attack
What’s up nerds! Mr.D0x has yet another attack vector mapped out for us. At the beginning of March, an article was published here. It describes a new phishing attack called “Browser-in-Browser” or BITB. It is a phishing attack that uses HTML and CSS to create a fake pop-up in the browser that spoofs a login page such as Windows, Google, etc. Below is a demo of Mr.D0x showing the difference between a phishing login and a normal login.
You might be wondering why this connection is important. Most online services today allow you to use your Apple, Gmail, or Facebook to sign in and connect your accounts. Then when you select this option, a new browser window opens with a login page displayed. We call it OAuth and hundreds of sites use this protocol to help users avoid having to create a new account.
How is it used?
So here is the problem, as with any phishing campaign, this attack requires your victim to land on the page and click on the link. There are different ways to achieve this goal, one of them being the creation of a spoofed site that uses the OAuth protocol. After creating the site, we need to do a reconnaissance on the target machine. We need to know the operating system and browser preferences to know which pop-up template we should use. Then, once deployed, all we need to do is wait for the victim to land on our page and they will have the ultimate peace of mind knowing that they are safely connecting to what appears to be a legitimate site. .
Let me explain to you. This technique uses a series of HTML and cascading style sheets to create a popup with the login, but it’s not a new browser. With HTML, we create a window in the native browser and style it with the native browser’s CSS. This gives us the window with logos, entries and even a URL window with a valid URL displayed to inspire more trust in our target.
Where can I download BitB samples?
They created the following Chrome templates for Windows and Mac:
Windows – Chrome (light and dark mode)
Mac OSX – Chrome (light and dark mode)
Finally, the Browser in the Browser phishing technique is so simple to implement and very effective. This attack can still be used on n00bs or on experienced Internet users. Remember, if you can’t move the popup out of the browser window, you know it’s a BitB attack. Mr.d0x did it again and his models get 3 out of 5 bunnies.
Want to learn more about ethical hacking?
We have network hacking course which is similar level to OSCP, get exclusive discount here
Help support NHL by buying a t-shirt or a mug?
Discover our selection here
Do you know of any other hacking tool related to GitHub?
Contact us through the contact form if you would like us to review other GitHub ethical hacking tools.