A new phishing technique that simulates a spoofed browser window within the real browser has been identified by a security researcher who goes by the handle ‘mr.d0x’. He published an article about it. The researcher calls it the “Browser in the Browser (BitB)” attack.
Many websites allow you to Sign Up and Log In using your existing Google, Facebook, Microsoft or Apple account. An example of Dropbox is shown below.
On clicking the “Log in with Google” button, a new browser window pops up asking for your Google credentials.
Once you submit the credentials, you are authenticated to Dropbox. This reduces the number of passwords a user has to remember.
We are happy to announce that we can help you train your employees on this new attack using our phishing simulation tool - 4Phish. We have created a new Phishing Page which simulates a Browser in the Browser attack (thanks to the templates provided by mr.d0x).
The below phishing email informs the user that someone has shared a file with him/her in Dropbox. The email contains a button to view the file.
On clicking the “View File” button, the user is taken to a fake Dropbox login page.
This login page contains two options:
Login with Google / Apple
Local Dropbox Authentication
When the user clicks on “Log in with Google”, a new window pops up.
BitB is a relatively new phishing technique which will gain popularity with attackers. Infact, as reported by security firm Zscaler, a phishing campaign using this technique was used to steal credentials for video game distribution service Steam in 2020.
Hence, it may prove beneficial for organizations to proactively train employees of such a phishing attack by conducting a phishing simulation campaign.
Contact us on firstname.lastname@example.org if you need our help with the phishing simulation and training.