Phishing – Browser in the Browser (BITB)

A phishing technique called Browser in the Browser (BITB) has emerged, and it’s already aiming at government entities, including Ukraine. Find out how to protect against this new threat.

Phishing for credentials is a common threat that has been around for years. It uses different social engineering techniques to persuade an unsuspecting user to click on a link or open a document and provide credentials, which are then sent to the attacker. Now a new phishing technique has been exposed by a penetration tester and security researcher.

Browser in the browser attacks consist of simulating a browser window within the browser to spoof a legitimate domain. The attack takes advantage of third parties’ single sign-on (SSO) option, which has become increasingly common for users to log into many different websites.

The principle is pretty straightforward: The user connects to a website, which in turn opens a new browser window that asks for Google, Apple, Microsoft or other third parties’ credentials, to allow the user to log in. This benefits the user because they don’t need to remember or use an additional password to log into the website. That’s where the BITB attack comes in. In a BITB attack, the user is being served a fraudulent pop-up window that will request their SSO password. The main difference from a usual phishing case lies in the fact that in addition to popping up that window, it can show any URL, including a legitimate one.

The trick works well. People are accustomed to this authentication model so many do not really pay attention to it anymore and just type credentials to log in.

Adding multi-factor authentication (MFA) is a good way to improve security for SSO authentication, yet it could still be bypassed by attackers, by using malware, for example. When it comes to increasing security in phishing cases, the best MFA solutions are hardware devices or tokens.

The use of password managers might also help in the particular case of the BITB attacks. Since the phishing page is in fact not a real browser window, password managers with autocomplete options might not react to them, alerting the user who will wonder why the autocomplete function does not work.

The best ways to avoid BITB attacks are actually the same as for usual phishing. Users should not click on links or attached files coming from unknown sources via email or instant messaging software. If they have doubts about an email coming from a seemingly legitimate entity or colleague, the user should call and verify they were indeed the sender and that the shared link or file is safe.

Anti-phishing solutions should also be deployed and used. If possible, those solutions should allow the user to easily report to the IT department or even to anti-phishing organizations

ABS is always ready to help you audit your phishing security and help you ensure your organization is protected. Let us know how we can help.