Security News > 2022 > March > Browser-in-the-Browser Attack Makes Phishing Nearly Invisible
The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.
The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.
"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it's] basically indistinguishable," mr.
The BitB attack can also flummox those who use the trick of hovering over a URL to figure out if it's legitimate, the researcher said: If JavaScript is permitted, the security safeguard is rendered ineffective.
Password managers, for example, probably wouldn't autofill credentials into a fake BitB popup because software wouldn't interpret the as a real browser window.
"As bad actors get more sophisticated with their attacks, the move to passwordless MFA is more critical now than ever. Eliminate the attack vector by eliminating the password with password-less MFA.".
News URL
https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/
Related news
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- GenAI makes phishing attacks more believable and cost-effective (source)
- CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force (source)
- Inside the incident: Uncovering an advanced phishing attack (source)
- Ongoing phishing attack abuses Google Calendar to bypass spam filters (source)
- Malicious Browser Extensions are the Next Frontier for Identity Attacks (source)