• BitB attacks use the pop-up window of the authentication process to capture user credentials.
  • These attackers use a mix of HTML and CSS code to make an entirely fabricated browser window.

The browser in the browser (BitB) is a phishing strategy that can be exploited by imitating a browser window within the browser to mock a legitimate domain, which makes it possible to stage convincing phishing attacks.

According to penetration tester and security researcher named mrdOx on Twitter, this method benefits from third-party single sign-on (SSO) options integrated on websites like “Sign in with Google” (Facebook, Pinterest, Apple, and Microsoft)

When users try to sign in through these methods, they get greeted by a popup window to finish the authentication process by default. The BitB attack aims to replicate the entire process with a mix of HTML and CSS code to generate a complete fabricated browser window.

MrdOx wrote in a technical publication last week, “Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s indistinguishable. JavaScript can easily make the window appear on a link or button click, on the page loading, etc.”

What’s interesting is that the BitB technique has been abused in the wild at least once before. Zscaler unveiled a list of a campaign in February 2020 that leveraged the BitB trick to draw off credentials for video game digital distribution service steam through fake counterstrike: Global offensive websites.

“Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others. In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window. It is not a legitimate browser popup and is created using HTML in the current window,” Zscaler researcher Prakhar Shrotriya said.

Although this process significantly streamlines mount effective social engineering campaigns, it’s worth noting that prospective victims need to be redirected to a phishing domain that portrays such a fake authentication window for credential harvesting.

“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x explained.