Security News > 2022 > March > Browser-in-the-Browser Attack Makes Phishing Nearly Invisible

The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.
The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.
"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it's] basically indistinguishable," mr.
The BitB attack can also flummox those who use the trick of hovering over a URL to figure out if it's legitimate, the researcher said: If JavaScript is permitted, the security safeguard is rendered ineffective.
Password managers, for example, probably wouldn't autofill credentials into a fake BitB popup because software wouldn't interpret the as a real browser window.
"As bad actors get more sophisticated with their attacks, the move to passwordless MFA is more critical now than ever. Eliminate the attack vector by eliminating the password with password-less MFA.".
News URL
https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- YouTube warns of AI-generated video of its CEO used in phishing attacks (source)
- Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials (source)
- Ukrainian military targeted in new Signal spear-phishing attacks (source)
- Browser-in-the-Browser attacks target CS2 players' Steam accounts (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)