Browser-in-the-Browser (BITB) Attack Makes Phishing Nearly Undetectable

A new phishing scam has made significant headway in the cyber security industry over the last few days, details as follows:

What’s the SCAM?

Phishing hackers have developed the ability to spoof familiar logins like Google, Apple, and Facebook, when you click on a familiar website and the website offers you the opportunity to authenticate using one of these three methods (vs. using a custom login for that website). Several sites do this, for example: news publications like NTY, WSJ, and medium-to-low level shopping websites, services websites, and subscription management websites.

The scam uses a few carefully crafted tricks:

  1. The URL string will begin with https:// indicating it is a secure and legitimate website
  2. The authenticating website (Google, Apple, Facebook) will appear like a pop-up window- but it’s not
  3. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so)
  4. Once you enter your Google, Apple, or Facebook credential you will be redirected to the hacker’s landing page with a familiar graphic making you believe you have completed the authentication process, but, you will actually be at their website and your User Name and Password will now be compromised/owned

How do they do it?

The hacker has designed a spoofed pop-up window making you believe you’ve clicked on the correct link. Except, it is not a pop-up window. It’s a single web page using CSS or JavaScript code (which is typically used for creating graphic motion, animation, and clickable buttons on a static webpage) giving you the illusion you are actually clicking on a pop-up window

How to tell your login window is a SCAM?

  1. Click on the upper frame of the pop-up window and try to move the window above the webpage behind it, over the URL string. If you can do this, the login is legitimate. If you cannot move the pop-up window and instead you’re moving the entire spoofed page, you’re on a redirected phishing page
  2. If you go so far as to enter your User Name and Password (and you have 2FA configured for Google, Apple, and Facebook) you will be re-directed to the fake landing page giving you the illusion you have successfully logged in bypassing the 2FA. This means you fell for the scam because this spoof cannot spoof 2FA
  3. Read the URL String and look for language in the string that’s not the authenticator (Google, Facebook, Apple), sometimes the string will reveal a phony URL, other times it won’t be completely deceptive

The only real way to be sure the page is authentic and secure is to move the pop-up window around — if information from the window disappears off the main browser screen, or can’t be moved at all, then it is a fake popup that is trying too hard.

What do you do if you were re-directed to a BITB spoof and you catch it before entering your User Name and Password?

  1. Quit ALL of your APPS
  2. Clear ALL browsing history and respective caches of ALL browsers you use
  3. Open a ticket with the DaVinci Help Desk and request a low level scan of your machine and review the results with a DaVinci Consulting Engineer

What do you do if you land on a spoofed page and enter your User Name and Password and realize you’ve been had?

  1. Immediately call (do not e-mail) the DaVinci Digital Help Desk, open an urgent remediation ticket
  2. From a different computer, login to the authenticating site (Google, Apple, Facebook) and immediately change your password and in the security settings verify 2FA is still enabled

If you have any additional questions, please let us know how we can support you.

Jonathan Jedeikin
DaVinci Digital