A new phishing technique - "Browser in the Browser (BitB)" attack is in the limelight. This post explains how 4Phish, our phishing simulation solution, may help your company's employees be prepared for this type of attack.

Introduction

A new phishing technique that simulates a spoofed browser window within the real browser has been identified by a security researcher who goes by the handle ‘mr.d0x’. He published an article about it. The researcher calls it the “Browser in the Browser (BitB)” attack.

Many websites allow you to Sign Up and Log In using your existing Google, Facebook, Microsoft or Apple account. An example of Dropbox is shown below.

On clicking the “Log in with Google” button, a new browser window pops up asking for your Google credentials.

Once you submit the credentials, you are authenticated to Dropbox. This reduces the number of passwords a user has to remember.

The BitB technique capitalizes on this method. Instead of opening the genuine second browser window, BitB uses HTML, CSS & JavaScript to spoof the second window. The fake browser will look identical to the real one with the correct URL, HTTPS Padlock, Drag, Maximize and Close functionality. When the target submits his/her credentials, it will be captured by the attacker.

We are  happy to announce that we can help you train your employees on this new attack using our phishing simulation tool - 4Phish. We have created a new Phishing Page which simulates a Browser in the Browser attack (thanks to the templates provided by mr.d0x).

A sample simulation 

The Phishing Email

The below phishing email informs the user that someone has shared a file with him/her in Dropbox. The email contains a button to view the file.

The Phishing Page

On clicking the “View File” button, the user is taken to a fake Dropbox login page.

This login page contains two options:

1. Login with Google / Apple

2. Local Dropbox Authentication

When the user clicks on “Log in with Google”, a new window pops up.

This window is a fake and created using HTML, CSS and JavaScript. It has a “HTTPS Padlock'' and the domain name in the URL Bar is correct (accounts.google.com). This may trick the user into believing that this is indeed a real login page. Once the credentials are entered by the user, it will be captured by 4Phish. 

Conclusion

BitB is a relatively new phishing technique which will gain popularity with attackers. Infact, as reported by security firm Zscaler, a phishing campaign using this technique was used to steal credentials for video game distribution service Steam in 2020.

Hence, it may prove beneficial for organizations to proactively train employees of such a phishing attack by conducting a phishing simulation campaign.

Contact us on sales@rqsolutions.com if you need our help with the phishing simulation and training.