"Browser in the Browser": A New Variant of Phishing

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

A new phishing variant has been observed recently, the Browser in the Browser (BitB). It is simply an attack aimed at deceiving the usual detection techniques by generating a fake window inside a real window.

Understanding the BitB Technique

Indeed, most of the time, the victim detects a phishing login page by checking the legitimacy of the URL displayed in the browser's address bar. The Browser in the Browser bypasses this detection technique by turning it against the user. The fake window will display a legitimate address to make the user trust it.

Exploring BitB Tactics

The attacker will therefore generate this fake window as if they were doing web design, using JavaScript, CSS, and HTML to make it look as close as possible to the original. Seeing a legitimate URL on the login page, the user will fall into the attacker's trap and provide their credentials.

Challenges and Adaptations

This technique is still improvable, it is not possible to separate the fake window from the real one. It is also impossible to display the fake window in full screen or to allow the user to resize it.

However, the attacker can directly detect the browser used by their target and whether it is in light or dark mode. With this information, the attacker will adapt their fake window to make it more coherent.

Defense Strategies Against BitB

In the face of this type of attack, it is important to communicate so that the Browser in the Browser does not remain unknown. Train employees to check the links they receive via email and to carefully observe the nature of login pop-ups.

The "classic" anti-phishing arsenal remains in place:

  • Anti-phishing filter
  • MFA
  • Web proxy
  • Phishing awareness solution

Key Takeaways from the Video:

In this video, you will learn:

  • What is the Browser in the Browser attack?
  • What does the technique of "Browser in the Browser" look like through a demonstration?
  • How to prevent the Browser in the Browser?
  • What improvements can be expected regarding these attacks?

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.