One of the most widely-used ways cybercriminals try to steal your data and personal information is through phishing.
But we’ve grown used to phishing, and generally know what to look out for. That’s where a Browser-in-the-Browser attack comes in. So what is a Browser-in-the-Browser attack? And how can you defend yourself from it?
A Browser-in-the-Browser(BiTB) attack simulates a login window with a spoofed domain within a parent browser window to steal credentials. This phishing technique primarily exploits the Single Sign-On authentication model to trick the user into coughing up sensitive information, chiefly their login credentials.
When you sign up for a new service or a new website, sometimes, there is an option to sign up by connecting your account with Google, Apple, and other third party services instead of manually signing up with an email address and password.
This is done via the Single-Sign-On authentication system. The integration of Single Sign-On, or SSO, functionality is almost omnipresent in web apps, and with good reason.
SSO facilitates quicker account authentication and creation by using a singular set of credentials for all services and sites. You don’t have to maintain separate sets of emails and passwords for each website that you have to sign in to.
The login process is straightforward. All you have to do is choose the third party service you wish to log in with and click on the Sign-Up button. A new browser window will pop up where you log in with your credentials for that third-party service; for instance, Google. After the login is successful, and the credentials are verified, your new account on the site is created.
When users sign up on a compromised site, they are served with a fake pop-up that imitates the look and feel of a genuine SSO authentication window. The SSO authentication system has been around for long enough that an average user has grown accustomed to it, eliminating suspicion.
Moreover, the domain name, interface, and SSL certificate indicator can be spoofed with a few lines of HTML and CSS to imitate a genuine login prompt window.
The victim types in their credentials without batting an eye, and as soon as they hit Enter on their keyboard, they give away their virtual life and everything connected to it.
Since this phishing technique revolves around SSO authentication, the first thing the cybercriminal needs to do is set up a fraudulent SSO authentication in site, then get the target to land on the malicious site. The target signs up with the fake SSO and their credentials are stored in the attacker’s database.
While, in theory, the process may come off as complicated, in reality, all these steps can be easily automated via a phishing framework and web page templates. Security researchers have already published templates that replicate Google, Facebook, and Apple login pages, the key to a BiTB attack.
A tell-tale sign of a fake or malicious website or pop-up window is its URL. Carefully inspect the URL of a website before inputting anything sensitive into it. More often than not, an expired or missing SSL certificate (denoted by a slashed padlock sign) or a shady URL should be enough evidence to drive any user away from the site. Still, cybercriminals are getting smarter and better at covering up anything that can raise suspicion.
While checking the URL and SSL certificate helps verify the authenticity of a site, BiTB attacks are really hard to detect from just their URL as they’re well masked up. So, you should always go the extra mile to check if a site is secure because your security is always paramount.
Here are a few things you need to check to protect yourself from Browser-in-the-Browser attacks:
- Check if the login pop-up is sandboxed within the browser. A fraudulent login window isn’t actually a real browser window; rather it is a simulation constructed with HTML and CSS, so the moment you pull it out of the browser’s screen space, the data should disappear. If you can’t drag the login window out of the main browser window at all, it’s also a giveaway that you’re on a malicious site.
- Use password managers. Since the phishing window isn’t a real browser window, it won’t be detected by any password manager with auto-complete turned on. This hints at the presence of underlying malicious intent and helps you discern between a fake pop-up and a real one. You should definitely check out the best password managers for your devices.
- As a rule of thumb, don’t click on any link forwarded to you. And avoid typing in credentials on shady websites. This is the ground rule to defend yourself from not just a specific phishing attack but all sorts of attacks and techniques. Be careful who you trust.
- Use security-focused browser extensions. These should alert you when there’s an imminent threat. For instance, to detect malicious iframe embeds, you can install an extension that detects and protects you from potential BiTB attacks.
The internet can be a scary place. While cybercrime is a never-ending dilemma, you don’t have to intimidated by it if you set up the right security measures, have your wits about you, and follow all the general best practices. It’s important you always stay vigilant; knowing the latest scams and hacking techniques at least means you’re staying ahead of the game.