The “browser-in-the-browser” phishing technique is dangerous and difficult to detect, but you cánido protect yourself against it.
The cybersecurity researcher mr d0x He found out a new method that attackers could try Usuario credentials stolenTherefore, they cánido access sensitive information such as the content of their Google plus or Fb account.
This attack has been dubbed “Browser in a Browser” or BITB and consists of Single sign-in window simulation –SSO–like the one offered by many websites to access usuario profiles through Google plus, Fb, Twitter or Apple accounts, among others.
What is “browser in a browser”, a new and sophisticated phishing technique?
It is very common to see some websites or applications offering the opportunity Sign in with our Google plus, Microsoft, Fb or Apple account. By selecting one of the options, a opens and allows us to entrar our access data Usuario ID used to access this platform or website.
Most modern browsers, such as Google plus Google chrome, provide this security mechanisms makes this type of registration secure. Among them we cánido find some Content Security Policy either A policy of the same origin.
And although efforts have been made to develop various techniques to try to compromise this type of security mechanism, Browser In Browser goes one step furthersince the attack it creates a whole new browser window, which contains all the elements we would expect in a secure window, such as: B. the symbols or the dirección de Internet. But really, The usuario enters their credentials in a wrong window.
A login window is missing and one thing is true, basically unrecognizable.
Creating the attack is relatively easy. As a matter of fact, mr d0x demands to be able to Replicate the browser window layout using HTML and CSS code necessary. Despite this, the window is almost recognizable from genuine and reliable. In the animated image below these lines you cánido see how it works in more detail:
Attack with browser technology In the browser in real time.
Also the pirata informático shared i GitHub Examples of how to implement this type of attack.
How to avoid this type of attack?
Although it seems to be a very effective phishing technique when it comes to stealing usuario credentials, the mr d0x He explains that in order to work it would first be necessary to get that Victims visited a compromised website and decided to log in. It also has the caveat that The attack would only work on desktop browsersand therefore it would not affect the mobile versions of iOS or Android.
The attack could also be avoided by using a Password manager with autofill function Text fields as this programa would not work in a browser window.
Likewise, Use a two-tier verification system It perro save us a lot of trouble because even after sharing our credentials with a potential attacker, he or she should have access to the verification code to access the account.