Security News > 2022 > March > Browser-in-the-Browser Attack Makes Phishing Nearly Invisible
The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.
The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.
"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it's] basically indistinguishable," mr.
The BitB attack can also flummox those who use the trick of hovering over a URL to figure out if it's legitimate, the researcher said: If JavaScript is permitted, the security safeguard is rendered ineffective.
Password managers, for example, probably wouldn't autofill credentials into a fake BitB popup because software wouldn't interpret the as a real browser window.
"As bad actors get more sophisticated with their attacks, the move to passwordless MFA is more critical now than ever. Eliminate the attack vector by eliminating the password with password-less MFA.".
News URL
https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/
Related news
- Three Reasons Why the Browser is Best for Stopping Phishing Attacks (source)
- Browser-in-the-Browser attacks target CS2 players' Steam accounts (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- iOS devices face twice the phishing attacks of Android (source)
- Browser extensions make nearly every employee a potential attack vector (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- DPRK Hackers Steal $137M from TRON Users in Single-Day Phishing Attack (source)
- Low-tech phishing attacks are gaining ground (source)
- MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks (source)