The Browser In The Browser (BitB) Phishing Attack Is Deadly

According to penetration tester and security researcher, who goes by the handle mrd0x_, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window:

With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).

Well, that’s not good. Largely because one thing that I tell users to do during the security training that I provide is to check the URL. But reading the write up that mrd0x_ has, this advice no longer has any value.

Lucas Budman, CEO of TruU ( had this to say:

“Bad actors continue to create clever ways to trick people into thinking that their malicious sites are actually a valued business resource. With these exploits, it’s only a matter of time before employees unknowingly provide their passwords to the wrong person (and relegating MFA to a single factor as the password is already compromised). This is particularly dangerous because people re-use passwords including places that are not MFA enabled. As long as username/password is used, even with 2FA, it is completely vulnerable to such attacks. As bad actors get more sophisticated with their attacks, the move to passwordless MFA is more critical now than ever. Eliminate the attack vector by eliminating the password with password-less MFA.”

It will be interesting to see what sites do to combat this attack. In the meantime, looking into passwordless authentication is one option to keep yourself safe as Google and Microsoft do support that. And many other companies have or are coming to market with similar solutions.

UPDATE: Chris Olson, CEO, The Media Trust had this to say:

“Web-based attackers have become increasingly sophisticated: from the backend, they’re using obfuscated and polymorphic code to dodge blockers or URL filters; from the front end, they are using elaborate JavaScript constructions to deceive even the most vigilant Internet users – the Browser-in-the-Browser attack is a perfect example.”

“Combined with malicious redirects embedded on-site through compromised third-party code, this technique provides a method that attackers could use to funnel users from a legitimate website (like CNN) to a fraudulent one without requiring them to click on a single ad or suspicious email. This is just one of many reasons we say organizations need to be more focused on Web and mobile devices: these digital channels are the next frontier for malicious actors.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: