A phishing kit has been released that allows red teams and aspiring cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows.
When logging into websites, it’s common to see the option to log in with Google, Microsoft, Apple, Twitter, or even Steam.
For example, the login form for DropBox allows you to sign in using an Apple or Google account, as shown below.
When you click the Sign in to Google or App buttons, a single sign-on (SSO) browser window will appear, prompting you to enter your credentials and sign in with the account.
These windows are minimized to show only the login form and an address bar showing the URL of the login form.
Although this address bar is disabled in these SSO windows, you can still use the displayed URL to verify that a legitimate google.com domain is being used to log in to the site. This URL further adds to the confidence of the form and will make you feel comfortable entering your login credentials.
Threat actors have attempted to create these fake SSO popups using HTML, CSS, and JavaScript in the past, but there is usually something wrong with the popups, which makes them look suspicious.
Overview of Browser in Browser Attacks
This is where a new “browser-in-browser (BitB) attack” comes in that uses pre-made templates to create fake but realistic Chrome pop-ups that include custom address URLs and titles that can be used in phishing attacks.
Basically, this attack creates fake browser windows inside real browser windows (Browser in Browser) to create convincing phishing attacks.
The browser-in-browser attack patterns were created by security researcher mr.d0x, who posted the patterns on GitHub. These templates include those of Google Chrome for Windows and Mac and dark and light mode variants.
Source: mr.d0x
mr.d0x told BleepingComputer that the templates are very easy to use to create compelling Chrome windows to display single sign-on login forms for any online platform.
The researcher said redteamers can simply download the templates, modify them to contain the desired URL and window title, and then use an iframe to display the login form.
It’s also possible to add the login form HTML directly into the template, but mr.d0x told BleepingComputer that you need to properly align the form using CSS and HTML.
Kouba Gretzkythe creator of the Evilginx phishing toolkit, tested the new method and showed how it works perfectly with the Evilginx platform, which means it could be adapted to steal 2FA keys during phishing attacks .
Spoofing the Sec-Fetch-Dest value to “document” worked like a charm and it’s beautiful
Evilginx loves it!
Congratulations again to @mrd0x pic.twitter.com/ODjblvNvho
— Kuba Gretzky (@mrgretzky) March 15, 2022
mr.d0x told BleepingComputer that this is not a new technique and that Zscaler has reported that it is being used by fake gaming sites in 2020 to steal Steam IDs.
Huh, looks like Steam scams are evolving. Someone tried to phish me with this really clever fake Steam login page earlier today, which usually failed because I opened the window on my little second monitor. Watch out, everyone. pic.twitter.com/npGbmAqjgH
— TheAppleFreak (@theaaplfreak) January 5, 2020
However, now that pre-made templates for fake Chrome windows are available, redteamers can use them to create compelling phishing login forms to test the defense of their customers or their own company’s employees.
For those who want to try out the new browser in browser phishing attack, you can grab the templates from GitHub.