A new UI redressing technique, know as Browser In The Browser (BITB), has given phishing a shot in the arm by making such attacks nearly untraceable in their design. This method is used to steal login credentials by juxtaposing a realistic replica of a third-party SSO login window that is usually redirected by a website’s login page (Instagram, Facebook, Twitter etc.). For instance, if a user sign into a website via Google, the BITB attacker spoofs Google’s authentication window to dupe the user of their credentials.
According to the pseudonymous cybersecurity researcher mr.dox, BITB attacks, under the guise of a reliable URL domain, are executed by faithfully replicating the window’s design using HTML/CSS techniques. The designed window is then combined with an iframe that directs to a malicious server that hosts the phishing page.
The article also pointed to a github link that contains the templates of fake login windows of Windows and Mac OSX browsers created by mr.dox for testing purposes.
To avoid such attacks, users should try resizing or scrolling the popup window before authentication; if the window fails to respond accordingly, then it is fake. Although a well-written Javascript code can respond to such commands with precision and these actions can be hard to implement in a mobile browser. Another method of mitigation is to deploy password managers that can efficiently maintain federated identities and secure them from malicious pages.
