Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Browser in the browser attacks: Why you should watch out

Browser in the browser attacks
Browser in the browser attacks are the recent phishing technique to be aware of, used to replicate a browser window within the browser to fake a real domain.

Browser in the browser attacks: Why you should watch out

A man-in-the-middle (MITM) attack involves a victim, a website with which the victim wishes to communicate (for example, a bank), and the attacker. The attacker establishes a connection between the victim and the targeted website in order to obtain personal information such as login credentials, bank accounts, and credit card details. 

MITMs have been a persistent approach for hackers in their ongoing development. One type of MITM attack is called man-in-the-browser (MITB), in which malware infects your device and displays a phishing clone of your intended website in your browser, tricking you into entering your account information.

However, there is another type of “middleman” attack, dubbed browser-in-the-browser by one security researcher. The concept is that a hacker can develop JavaScript code to display a pop-up window, another phishing ruse designed to trick you into typing your account details. It’s difficult to tell if it’s authentic.

BitB: A new phishing technique

Browser in the browser attacks: A new phishing technique

A recent phishing technique known as the browser-in-the-browser (BitB) attack can be used to replicate a browser window within the browser to fake a real domain, allowing for the staging of convincing phishing attacks.

According to penetration tester and security researcher mrd0x on Twitter, the approach leverages third-party single sign-on (SSO) choices such as “Sign in with Google” included on websites (or Facebook, Apple, or Microsoft).

While the typical behavior when a user seeks to sign in using these ways is for a pop-up window to finish the authentication procedure, the BitB attack attempts to recreate this entire process by utilizing a combination of HTML and CSS code to build a totally manufactured browser window.

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” says mrd0x. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading, etc.”

Interestingly, the approach has previously been abused in the wild. Zscaler published details of a campaign that used the BitB technique to steal credentials for video game digital distribution provider Steam via bogus Counter-Strike: Global Offensive (CS: GO) websites in February 2020.

“Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others,” according to Zscaler researcher Prakhar Shrotriya.

“In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.”

While this strategy substantially simplifies the process of mounting effective social engineering operations, it’s worth mentioning that potential victims must be sent to a phishing domain capable of displaying such a false login window in order to harvest credential information.

“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x added.

Also Read: PDPA Compliance for MCST: The importance of hiring a DPO

BitB attacks can be used to replicate a browser window within the browser to fake a real domain, allowing for the staging of convincing phishing attacks.

Spotting Browser in the browser attacks

The only method to be certain is to move the pop-up window around – if the content in the window vanishes off the main browser screen, or if the window cannot be moved at all, it is a phony pop-up attempting too hard. 

This type of forgery is not novel; another security researcher described a similar attack three years ago, dubbed “the inception bar.” This phishing bait relies on users scrolling down the fake pop-up, which conceals the URL bar. At this point, the attacker replaces a fake URL bar to acquire the user’s trust.

Another twist on the middleman theme is a series of phishing assaults directed at Counter-Strike: Global Offensive players. The objective here is to obtain a victim’s Steam credentials, which can be used to start additional attacks or to steal digital assets associated with the victim’s account.

The phishing bait, in this case, is based on the creation of a phony chatbox. As with the browser-in-the-browser attack, you can easily determine that it is a forgery when you attempt to resize the window, revealing that it is not a legitimate pop-up but rather an HTML construction that extends beyond the main browser window.

Detecting these phishing lures is not easy, demonstrating that you cannot be too cautious when requested to provide your account information. One strategy to combat these middlemen attacks is to use a more secure browser, such as Avast Secure Browser, that blocks unfamiliar pop-ups.

According to Thomas Salomon, Avast’s Director of Platform Engineering, “Even in the face of these dangers, Avast Secure Browser customers can feel secure. Avast Secure Browser’s industry-leading anti-phishing solution ensures that most phishing assaults are stopped. Nonetheless, Avast is constantly developing enhanced security solutions that aid in the prevention of such phishing attempts on a broad scale.”

How a DPO can help against phishing scams

Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of Phishing scams as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity. 

For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch them to ensure that the client will never be a victim of such a scam. 

DPOs complement the efforts of Organizations in battling scams as DPOs ensure that when there is an instance of a cyberattack, a protocol for dealing with it has been established and can be employed to protect the personal data of clients. DPOs play a crucial role when an organization is hit with phishing attacks as they ensure safeguards are put in place to combat it when it happens.

It is also part of the role of a DPO to ensure that employees are well aware of the latest cybersecurity risks, such as the recent Browser in the browser attacks. Generally, it is well under the duty of a DPO to make sure that employees are knowledgeable of things on the internet that may defraud them and the organization itself. 

Exploiting trust

Canva, for example, offers users the option of logging in with one of three popular accounts. When the user selects Google, a new browser window with a valid URL replaces the existing Canva window.

The OAuth protocol assures that the user’s password is only accessible to Google. Canva is never made aware of the qualifications. Rather than that, OAuth initiates a secure login connection with Google, and when the visitor’s username and password match, Google issues the visitor a token that grants access to Canva. (A similar process occurs when a shopper selects a payment option such as PayPal.)

The BitB approach takes advantage of this arrangement. Rather than opening a true second browser window connected to the website that facilitates login or payment, BitB employs a variety of HTML and cascading style sheets (CSS) methods to convincingly counterfeit the second window.

There is a possibility that the URL displayed there is a genuine address complete with a padlock and HTTPS prefix. The window’s layout and behavior appear to be identical to those of the actual thing.

Also Read: Understanding the mandatory data breach notification of Singapore

Malicious links sent through emails that employees click could be the entry point of bad actors in employing BitB attacks. This is why it is best to know if you are at risk of being its next victim. Get your free simulated email spoofing exercise from Privacy Ninja now, and check if your organisation is safe from malicious actors.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us