Security News > 2022 > March > New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable
A novel phishing technique called browser-in-the-browser attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.
"Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it's basically indistinguishable," mrd0x said in a technical write-up published last week.
"JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc."
While this method significantly makes it easier to mount effective social engineering campaigns, it's worth noting that potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting.
"But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website," mrd0x added.
News URL
https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html
Related news
- Three Reasons Why the Browser is Best for Stopping Phishing Attacks (source)
- Ukrainian military targeted in new Signal spear-phishing attacks (source)
- Browser-in-the-Browser attacks target CS2 players' Steam accounts (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- iOS devices face twice the phishing attacks of Android (source)
- Browser extensions make nearly every employee a potential attack vector (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- DPRK Hackers Steal $137M from TRON Users in Single-Day Phishing Attack (source)
- Low-tech phishing attacks are gaining ground (source)