Browser-in-the-browser attack: a new phishing technique

We explain a new sneaky technique for stealing passwords, and how to avoid being tricked by a phishing site.

What is a browser-in-the-browser (BitB) attack

In their relentless pursuit of folks’ credentials, secret keys and other valuable information, cybercriminals are continually inventing new ways to deceive users. It’s worth noting that normally, no matter how sophisticated these schemes become, they’re all aimed at users who drop their guard. If you just pay close attention to a few details — first and foremost, the address of the website where you’re being asked to enter your credentials — you won’t be a phishing victim.

At least, that’s almost always the case. But today we want to tell you about an attack that works differently, with the URL looking correct and safe to the victim. Let’s walk through it.

Why are there errors in the addresses of phishing sites?

Every domain address that you see in the address bar is unique and always assigned to its owner. If someone wants to create a website, they first need to contact a special organization that registers domain names. They’ll check an international database to make sure the address isn’t already taken. If it’s available, it gets assigned to the applicant.

This means that it’s impossible to register a fake website with the same address as a real website. However, it is quite possible to create a domain that’s very similar to someone else’s by choosing a similar domain zone: for example, Colombia (.co) instead of Canada (.ca). But if you look closely at the address, that’s easy to spot.

This is why instead of registering domains, sophisticated minds came up with the idea to simulate a browser window with a trusted site’s address appearing on a page.

What is a browser-in-the-browser attack?

This type of attack, which has come to be known as a “browser-in-the-browser” attack was described by an infosec researcher and pentester going by the handle mr.d0x. He noticed that modern means of creating websites (HTML, CSS, and JavaScript tools) have become so advanced they can display practically anything on the page: from fields of any color or shape, to animation that imitates the moving components of the interface. This means that a phisher can also use them to simulate a full-fledged page from a different service inside their own website.

For the experiment, mr.d0x looked at pop-up login windows. You’ve probably seen them: they appear when you choose an option like “Sign in with Google” or “Continue with Apple” instead of creating an account on a website. This option is convenient because you don’t need to come up with and remember a new password or wait for confirmation links or codes. Also, this sign-up method is rather safe. When you push the Sign in with button, it opens the page of the relevant service on which you enter your credentials, and the website you’re logging in to with this option never receives the password, not even temporarily.

This is what a real login window for a third-party service looks like

This is what a real login window for a third-party service looks like

Enter a browser-in-the-browser attack. It works like this: The cybercriminals register a website using the classic phishing technique of making a clone of a legitimate website. Alternatively, they could choose an attractive address and content that may lure victims — such as shopping deals, job opportunities, or news a user might want to comment on. The criminals set things up so that visitors need to sign in if they want to buy something, comment, or access other features that interest them. Then the malefactors add buttons that supposedly permit logging in through the legitimate services they want to harvest passwords from.

If victims click on such a button, they’ll see a login window they’re familiar with, such as a Microsoft, Google, or Apple prompt, with the correct address, logo, and input fields — in short, all the components of the interface they’re used to seeing. The window can even display correct addresses when users hover the mouse over the “Log in” button and “Forgot password” link.

The catch is that this isn’t actually a separate window — this marvel of deception is scripted to appear right on the page that is trying to trick the user. If you enter your credentials in this window, they won’t go to Microsoft, Google, or Apple, but rather straight to the cybercriminal’s server. Here you can see what this may look like.

How can you tell if the login window is fake?

Although there’s nothing about the bogus login window that looks obviously fake, there are ways to identify it as such.

Real login windows are browser windows, and they act that way. You can maximize and minimize them and move them anywhere on the screen. Fake pop-ups are bound to the page where they’re located. They can also move freely and cover buttons and images, but only inside their boundaries — that is, within the browser window. They cannot go outside it. That difference should help you spot them.

To check whether the login form on your screen is fake, try the following:

  • Minimize the browser window the form popped up from. If the login form that is supposed to be in a separate window vanishes too, then it’s fake. A real window should stay on the screen.
  • Attempt to move the login window beyond the parent window border. A real window will easily cross over; a fake one will get stuck.

If the window with the login form behaves oddly — it minimizes with the other window, stops under the address bar, or disappears under it — it is fake, and you should not enter your credentials.

Is there an easier way to protect myself?

The attack is not as dangerous as it might seem at first glance. Although it’s quite hard for humans to spot a browser-in-the-browser attack, your computer can help you. No matter what is scripted on a dangerous site, the real address remains the same, and that’s what matters to a security solution.

  • Make sure to use a password manager for all your accounts. It verifies the page’s real address, and it will never enter your credentials into the fields of an unknown site, no matter how legitimate it may look.
  • Install a robust security solution with an anti-phishing module. This solution also verifies the URL for you and will warn you immediately if a page is dangerous.

And of course, remember to use two-factor authentication. Enable it wherever you have the option to do so, including on all social networks. Then, even if attackers steal your credentials, they won’t be able to access your account without a one-time code, which will be sent to you, not them.

If you want more powerful protection for your extra valuable accounts, we recommend that you use U2F hardware tokens (the best known example being YubiKey). This system checks not only a website’s address but also if it knows the encryption key. As a result, it is impossible to make it through such an authentication system even if the original site and its twin look identical.