The importance of safeguarding corporate networks and data from phishing attacks cannot be overstated. Phishing has evolved beyond deceptive emails; instead, cybercriminals are constantly inventing new sophisticated techniques to manipulate users into divulging passwords or executing malicious files, which can result in unauthorized access to sensitive information or malware infections and, in turn, lead to significant financial costs and reputational damage.
"Browser in the Browser" (BitB) attacks have recently gained traction and it's critical that companies recognize this new threat educate staff. Today, we showcase exactly what you need to know in order to get started.
BitB attacks use HTML and CSS to embed spoof the URL bar of a browser pop-up, effectively creating a façade that is hard to differentiate from the genuine interface. BitB phishing attacks are typically executed when a user visits a malicious website and tries to log on. The malicious website then simulates the legitimate function of a Social Sign-On service provided by major technology companies such as Facebook, Google, and Apple. While services are popular because they allow users to easily log into a third-party website they also create an opportunity that attackers are taking advantage of.
Making the BitB attack so powerful is that by default, pop-up windows don't contain URL address bars. By not including their explicit URL bar, pop-ups allow attackers to create a fake URL bar with HTML and CSS and have it deceptively display the URL of a legitimate company. The attack can be seen in action and demonstration code is readily available on GitHub.
Phishing attacks often rely on tricking users into believing they are entering credentials into a legitimate website, while they are actually interacting with an attacker-controlled resource. Phishing attacks have been around since the mid-90s, and there are numerous phishing techniques proven to be highly effective. One of the most common techniques is URL spoofing which is employed in BitB attacks.
Here are some other URL spoofing techniques commonly used to trick victims into giving up their sensitive information:
Homograph Attacks/Punycode Attacks/IDN (Internationalized Domain Name) Spoofing: These attacks use alternative characters that look similar to the Latin alphabet, but are from different character sets to create a fake domain that visually resembles the target domain. One of the most popular techniques is to simply use the Cyrillic "а" instead of the Latin "a" in a domain name
Typosquatting (URL Hijacking): Attackers register domain names that are typographical errors of popular websites. Unsuspecting users who make a typo while entering the URL might land on these malicious sites, i.e. "goggle.com" instead of "google.com"
Subdomain Spoofing: Attackers use legitimate subdomains combined with a malicious domain. For example, "paypal.com.fake.com" looks like PayPal at a glance, but the actual domain is "fake.com"
URL Redirection: Attackers use URL shortening services or other redirection techniques to hide the real URL such as creating a link that directs to a different URL than the one displayed
iframe Sniffing Attacks: A malicious website can embed a legitimate site's content inside an iframe, and then use a variety of techniques such as overlaying a transparent HTML element to capture the user's input, or employing an iframe escape exploit covertly capture keystrokes entered into the iframe
Open Redirect Exploits: This exploits a vulnerability on legitimate websites, allowing attackers to redirect users from the legitimate site to a malicious page. The URL may initially appear legitimate since it starts with a trusted domain
To protect yourself against BitB attacks it's important to be acutely aware of how BitB attacks work to avoid becoming a potential victim. In addition to having keen awareness, it's also important to employ other standard IT security best practices as part of a defense-in-depth approach.
User Education and Training: Ensure employees are aware of BitB attacks and other phishing techniques. Training programs should teach them to recognize suspicious activity and report it according to policies and standard operating procedures.
Use Browser Security Features or Specialized Phishing Protection Tools: Most modern browsers have security features such as pop-up blockers, anti-phishing filters, and protection against malicious downloads. Ensure that these features are enabled.
Implement MFA Authentication: Implement multi-factor authentication (MFA) wherever possible. MFA can prevent attackers from gaining unauthorized access even if they manage to steal credentials by requiring a one-time passcode (OTP) from an authenticator app in order to log in.
"Browser in the Browser" (BitB) attacks have emerged as a novel and effective phishing technique. BitB attacks place a fake URL bar within a browser pop-up to deceive users about which domain the pop-up is connected to. Believing they are interacting with genuine content, users may enter sensitive information such as login credentials that can be captured by cybercriminals.
BitB is particularly effective when mimicking the Social Sign-On services of major tech giants. Addressing this threat requires a multi-faceted approach: educating users on the nature of these attacks, enabling security features on browsers, implementing MFA, and making sure that browser applications are updated with the latest security patches.
Ready for more industry updates to include in your next bout of employee awareness training? Contact our team directly today or sign up for our free newsletter.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.