New attack technique makes phishing near undetectable

A new browser-in-the-browser attack technique can be exploited to spoof legitimate domains

A new phishing technique dubbed browser-in-the-browser (BitB) attack allows threat actors to simulate a browser window within a browser, spoofing a legitimate domain and initiating a convincing phishing attack.

A penetration tester and security researcher, known as mrd0x on Twitter, explained how the method takes advantage of third-party single sign-on (SSO) options on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

The default behavior sign-in method such as this is to greet users with a pop-up window to complete the authentication process. BitB attacks aim to replicate this process using a mix  HTML and CSS code, presenting users with a fabricated browser window. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *