Phishing attacks are a form of social engineering attacks and are responsible for more than 80% of the reported security incidents.

In this blog post, we are going to talk about the browser in the browser (BitB) attack and the different approaches used in this deception technique, which is typically leveraged to gather credentials.

The main goal of a Browser in Browser attack is to lure the user, when accessing a cloned website, with a “fake window”, taking advantage of the growing usage of single sign-on systems that allow users to login within different websites with a single account.

This “fake window” is going to be created inside the website viewport and it will replicate, to a very accurate degree, all the components of the real popup window. Some key aspects of this method are the URL that can show any URL, the Certificate Lock, and the draggable effect. In the image below we can see an example of a cloned website using this technique, the highlighted sections show how visually accurate this window can be.

This approach is not new, we can actually trace it back to some attacks in the past two decades.

In 2019, a fake Steam skins giveaway site was used to steal credentials from CounterStrike players, but this was not a singular event. Facebook was also targeted in phishing campaigns using this technique and if we go even further back to 2007, we can find remarks about a “picture-in-picture attack” referred in a Microsoft publication, where they claim that “picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack”.

While the BitB technique is being used in the wild in fake cloned websites, there are several other scenarios where a similar technique could be applied. For example, in the case of a supply chain attack.

There is no doubt browser extensions provide a great way of customizing your web browser or even enhancing the functionality of a website. Nowadays the common user will most likely have an ad-blocker, a password manager, or a cryptocurrency wallet extension installed in the browser. As useful as they can be, some of them may also pose a security risk.

Suppose a malicious script draws one of these extension windows in a webpage, in a similar fashion as the BitB attack we described before. An unaware user may look at this window and mistake it for the legitimate one, inserting his credentials or keys and naively sending them to the attacker.

Even though this type of notification does not typically ask the user to type any information inside the notification window itself, a fake notification could impel the user to click on it.

Clicking on something different from what the user perceives, also known as “Clickjacking”, is one of the potentially dangerous attacks that can be used to reveal confidential information or trigger unintended behavior by the website or browser. Sometimes clicking on seemingly innocuous objects may allow an attacker to take control of your computer.

Certain applications may make use of javascript functions like alert, confirm or prompt to ask the user for important information. These functions will trigger a box to appear, usually on the upper part of the screen, but this may vary depending on the supplied text message.

This is another example of a window that can be drawn inside a webpage inviting a user to type private information.

Copying the visual aspect of native windows or prompts from the underlying operating system can also be used to create an attack scenario. There are several different system prompts that may be shown by your OS, such as:

As we can see there are a lot of deception techniques that can lure the user into performing unwanted operations. But there are some things that can be done to mitigate this both from a company’s perspective and from a user’s side.

From a company perspective, they are responsible for the user experience and security inside their applications and should implement systems and/or mechanisms into their web pages to mitigate some of these attacks.

In short, the type of attacks we saw consist in:

And these kinds of malicious behaviors can be detected or even blocked if a client-side security solution is implemented on the web pages.  

Even though we are describing attacks that may deceive even the savviest users, there are a few subtle clues that can be used to detect this kind of attack.

Even something seemingly legit can be compromised and used by threat actors to access sensitive intel. Many companies chose to protect their users with client-side solutions like Jscrambler’s. These solutions provide an additional layer of protection that will render most of these attacks unfeasible or unpractical.

But most websites do not have this kind of protection and the responsibility is left to the user. This is why User awareness defines a key aspect of user and information security.