Security News > 2022 > March > This browser-in-browser attack is perfect for phishing

Bypassing defenses built into the user's browser to fool them into trusting a malicious page tends to be difficult in the absence of an exploitable vulnerability, thanks to browser security mechanisms including Content Security Policy settings and the Same-origin policy security model.

The BitB attack extends this technique by creating an entirely fabricated browser window, including trust signals like a locked padlock icon and a known URL. You think you're seeing a real popup window, but it's actually just faked within the page, and ready to capture your credentials.

"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it's basically indistinguishable."

Pointing to research published last year by Adalytics indicating that 70 percent of top publisher websites fail to sandbox the iframes used to serve ads, ad fraud researcher Augustine Fou told The Register that he worries BitB will be used by those serving malvertising, or malicious ads.

Eliya Stein, a researcher at ad security biz Confiant, told The Register that while his firm's data indicates about half of all iframes are unsandboxed and that a friendly frame - not cross-origin - pushing malicious JavaScript is a plausible hypothetical attack, it's not one that fits well into the economic model of malvertising.

While Stein said the supply-side platforms that serve ads have security systems that scans for malicious code and there are other mitigating factors related to how publishers configure their websites, both Fou and Franaszek indicated that ad ecosystem security is often lacking and there are ways to craft malicious code to hide from scanners.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/18/browser_in_browser_phishing/