Single sign-on options are so common today that we don’t often think twice before we click to proceed. Also, if the browser has trust signals like a padlock icon, we automatically assume that the webpage is safe. But is that really the case? 

The novel phishing technique, the browser-in-the-browser (BitB) attack, simulates a browser window within the browser to spoof a legitimate domain. It takes advantage of third-party single sign-on (SSO) options embedded on websites that issue pop-up windows for authentication. The BitB attack creates an entirely fabricated browser window, including trust signals like a locked padlock icon and a known (but faked) URL.  

How does the attack work?

The attackers send malicious links via emails or instant messaging software. The user is redirected to a fraudulent or compromised page on clicking the link. The page will contain an iFrame pointing to the malicious server hosting the phishing page. Once the user provides their credentials on the spoofed pop-up sign-on window, they are sent to the remote server controlled by the attacker.  

The BitB attack can also flummox those who use the trick of hovering over a URL to figure out if it’s legitimate because on hovering over the URL, a custom spoofed URL appears.  

We recommend the following to stay safe:  

• Never click on links or attachments in unsolicited emails. If the email seems suspicious, call and verify if it was indeed from the sender and that the shared link or attachment is safe.  
• Implement multi-factor authentication (MFA), if available. Multi-factor authentication provides an additional layer of security.  
• Use password managers wherever possible. Password managers will not autofill credentials into a BitB window because they wouldn’t see it as a real browser window.  

Conclusion

Phishing for credentials is one of the most common threats that has been around for many years. The threat actors use different social engineering techniques to persuade unsuspecting users to click on a fraudulent link or open a malicious attachment and provide their credentials. Staying ahead of these threats requires constant vigilance and being up-to-date on the threat landscape.