Security News > 2022 > March > Browser-in-the-Browser Attack Makes Phishing Nearly Invisible

The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.
The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.
"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it's] basically indistinguishable," mr.
The BitB attack can also flummox those who use the trick of hovering over a URL to figure out if it's legitimate, the researcher said: If JavaScript is permitted, the security safeguard is rendered ineffective.
Password managers, for example, probably wouldn't autofill credentials into a fake BitB popup because software wouldn't interpret the as a real browser window.
"As bad actors get more sophisticated with their attacks, the move to passwordless MFA is more critical now than ever. Eliminate the attack vector by eliminating the password with password-less MFA.".
News URL
https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/
Related news
- Three Reasons Why the Browser is Best for Stopping Phishing Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- YouTube warns of AI-generated video of its CEO used in phishing attacks (source)
- Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials (source)
- Ukrainian military targeted in new Signal spear-phishing attacks (source)
- Browser-in-the-Browser attacks target CS2 players' Steam accounts (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- iOS devices face twice the phishing attacks of Android (source)
- Browser extensions make nearly every employee a potential attack vector (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)