A new browser-in-the-browser attack technique can be exploited to spoof legitimate domains
A new phishing technique dubbed browser-in-the-browser (BitB) attack allows threat actors to simulate a browser window within a browser, spoofing a legitimate domain and initiating a convincing phishing attack.
A penetration tester and security researcher, known as mrd0x on Twitter, explained how the method takes advantage of third-party single sign-on (SSO) options on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).
The default behavior sign-in method such as this is to greet users with a pop-up window to complete the authentication process. BitB attacks aim to replicate this process using a mix HTML and CSS code, presenting users with a fabricated browser window. Read more:https://bit.ly/3D2u0DF