Security News > 2022 > March > Browser-in-the-Browser Attack Makes Phishing Nearly Invisible
The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.
The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.
"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it's] basically indistinguishable," mr.
The BitB attack can also flummox those who use the trick of hovering over a URL to figure out if it's legitimate, the researcher said: If JavaScript is permitted, the security safeguard is rendered ineffective.
Password managers, for example, probably wouldn't autofill credentials into a fake BitB popup because software wouldn't interpret the as a real browser window.
"As bad actors get more sophisticated with their attacks, the move to passwordless MFA is more critical now than ever. Eliminate the attack vector by eliminating the password with password-less MFA.".
News URL
https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/
Related news
- Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Firefox Zero-Day Under Attack: Update Your Browser Immediately (source)
- GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks (source)
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)