Browser-in-the-browser: learn more about this new type of phishing
For years, the main tip people needed to avoid scams on the internet was always the same: pay attention to the page address. Despite cybercriminals often recognized as highly “talented” when it comes to creating replica online services or even entire online stores to lure unsuspecting internet users, you simply had to check the URL you were on to see if anything was wrong.
Unfortunately, we’re headed towards a future where things will no longer be that simple. A famous independent researcher posted a stark warning to specialists worldwide on his blog in the form of a truly disheartening “finding”: using only a few reasonably simple techniques, a fraudster can falsify a social login pop-up, with a legitimate URL and everything, making it look like you’re entering your credentials into a safe environment. This type of attack has been baptized browser-in-the-browser (BitB).
There was a window in the window
The name says it all. Basically, cybercriminals simulate the entire window of your browser to steal your password. Before continuing, it’s worth reiterating what we mean by the term “social login”: it deals with websites and online platforms that provide access using the profile of another service or social network, doing away with the need to create an additional account and manually enter all your info.
It just so happens that, when you decided to log on to a platform using social login, the browser opens a new window, or a pop-up, which communicates with the external servers of the service or social network and allows you to type in your credentials. If you check this pop-up’s URL, you’ll see the legitimate domain and know you’re in a safe environment.
And the BitB scam preys precisely on this fact. The hacker first attracts a victim to some fake website, without bothering about the address of the malicious page in question. This page will usually have some incentive for the user to perform a social login and, by clicking on one of the prompts, a fake pop-up appears on screen. It looks exactly like a real browser window and even has the same minimize/maximize buttons and even the URL field features the legitimate domain of the service you’re attempting to access. However, it’s nothing more than an “optical illusion”.
Prepare now!
It’s a really simple trick. Any developer with a basic understanding of HTML5, CSS and JavaScript can “design” this fake window inside the legitimate window of your browser, giving the impression of a pop-up appearing. If a victim falls for the scam and enters their credentials, these will automatically be sent to the cybercriminal’s server. The only way to identify the scam is the “Inspect Element” resource, offered by most browsers, and to check the site’s source code to see if the pop-up is fake – this, however, is a tool that is generally only employed by more avid users.
But before freaking out, it’s important to underline that, up till now, the browser-in-the-browser attack is only conceptual and there are no reports of widespread use in malicious campaigns. Whatever the case, it’s best to get ready, since chances are good that this scam will soon be quite common. The easiest way to check that you’re really viewing a pop-up window is to try to move it, resize it, minimize or maximize it, and to even close it. Try to interact with it as much as possible, as there is a limit to the realism criminals can attain.
Lastly, enabling two-factor authentication on all social networks and online service accounts that you use (especially if you intend to use it for social login) is another fundamental step. That way, even if a fraudster can steal your credentials, he’ll be held back by two-factor authentication.
