Browser in the browser attacks: Why you should watch out
A man-in-the-middle (MITM) attack involves a victim, a website with which the victim wishes to communicate (for example, a bank), and the attacker. The attacker establishes a connection between the victim and the targeted website in order to obtain personal information such as login credentials, bank accounts, and credit card details.
MITMs have been a persistent approach for hackers in their ongoing development. One type of MITM attack is called man-in-the-browser (MITB), in which malware infects your device and displays a phishing clone of your intended website in your browser, tricking you into entering your account information.
Browser in the browser attacks: A new phishing technique
A recent phishing technique known as the browser-in-the-browser (BitB) attack can be used to replicate a browser window within the browser to fake a real domain, allowing for the staging of convincing phishing attacks.
According to penetration tester and security researcher mrd0x on Twitter, the approach leverages third-party single sign-on (SSO) choices such as “Sign in with Google” included on websites (or Facebook, Apple, or Microsoft).
While the typical behavior when a user seeks to sign in using these ways is for a pop-up window to finish the authentication procedure, the BitB attack attempts to recreate this entire process by utilizing a combination of HTML and CSS code to build a totally manufactured browser window.
Interestingly, the approach has previously been abused in the wild. Zscaler published details of a campaign that used the BitB technique to steal credentials for video game digital distribution provider Steam via bogus Counter-Strike: Global Offensive (CS: GO) websites in February 2020.
“Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others,” according to Zscaler researcher Prakhar Shrotriya.
“In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.”
While this strategy substantially simplifies the process of mounting effective social engineering operations, it’s worth mentioning that potential victims must be sent to a phishing domain capable of displaying such a false login window in order to harvest credential information.
“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x added.
Spotting Browser in the browser attacks
The only method to be certain is to move the pop-up window around – if the content in the window vanishes off the main browser screen, or if the window cannot be moved at all, it is a phony pop-up attempting too hard.
This type of forgery is not novel; another security researcher described a similar attack three years ago, dubbed “the inception bar.” This phishing bait relies on users scrolling down the fake pop-up, which conceals the URL bar. At this point, the attacker replaces a fake URL bar to acquire the user’s trust.
Another twist on the middleman theme is a series of phishing assaults directed at Counter-Strike: Global Offensive players. The objective here is to obtain a victim’s Steam credentials, which can be used to start additional attacks or to steal digital assets associated with the victim’s account.
The phishing bait, in this case, is based on the creation of a phony chatbox. As with the browser-in-the-browser attack, you can easily determine that it is a forgery when you attempt to resize the window, revealing that it is not a legitimate pop-up but rather an HTML construction that extends beyond the main browser window.
Detecting these phishing lures is not easy, demonstrating that you cannot be too cautious when requested to provide your account information. One strategy to combat these middlemen attacks is to use a more secure browser, such as Avast Secure Browser, that blocks unfamiliar pop-ups.
According to Thomas Salomon, Avast’s Director of Platform Engineering, “Even in the face of these dangers, Avast Secure Browser customers can feel secure. Avast Secure Browser’s industry-leading anti-phishing solution ensures that most phishing assaults are stopped. Nonetheless, Avast is constantly developing enhanced security solutions that aid in the prevention of such phishing attempts on a broad scale.”
How a DPO can help against phishing scams
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of Phishing scams as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch them to ensure that the client will never be a victim of such a scam.
DPOs complement the efforts of Organizations in battling scams as DPOs ensure that when there is an instance of a cyberattack, a protocol for dealing with it has been established and can be employed to protect the personal data of clients. DPOs play a crucial role when an organization is hit with phishing attacks as they ensure safeguards are put in place to combat it when it happens.
It is also part of the role of a DPO to ensure that employees are well aware of the latest cybersecurity risks, such as the recent Browser in the browser attacks. Generally, it is well under the duty of a DPO to make sure that employees are knowledgeable of things on the internet that may defraud them and the organization itself.
Canva, for example, offers users the option of logging in with one of three popular accounts. When the user selects Google, a new browser window with a valid URL replaces the existing Canva window.
The OAuth protocol assures that the user’s password is only accessible to Google. Canva is never made aware of the qualifications. Rather than that, OAuth initiates a secure login connection with Google, and when the visitor’s username and password match, Google issues the visitor a token that grants access to Canva. (A similar process occurs when a shopper selects a payment option such as PayPal.)
The BitB approach takes advantage of this arrangement. Rather than opening a true second browser window connected to the website that facilitates login or payment, BitB employs a variety of HTML and cascading style sheets (CSS) methods to convincingly counterfeit the second window.
There is a possibility that the URL displayed there is a genuine address complete with a padlock and HTTPS prefix. The window’s layout and behavior appear to be identical to those of the actual thing.
Malicious links sent through emails that employees click could be the entry point of bad actors in employing BitB attacks. This is why it is best to know if you are at risk of being its next victim. Get your free simulated email spoofing exercise from Privacy Ninja now, and check if your organisation is safe from malicious actors.