Criminals are constantly coming up with novel techniques to launch attacks and there’s a new phishing technique available to them that’s a terrifyingly convincing. Users have been told for years to double check domain names, look for padlocks to confirm encryption is enabled and that using SSO (Single-Sign On) services is a good thing – unfortunately this new technique dubbed “Browser in the Browser” plays on these, providing a devastatingly convincing phishing “capture form”.
So how does it work?
When you visit websites that let you login with another account, for example “Login with Facebook” or “Login with Apple ID”, they pop open a new browser window that loads a login page hosted by the account provider (Facebook, Apple, etc.). A login token is passed that maps to your account with whatever website you are logging in to and you are in!
This is a great mechanism allowing you to login to multiple websites using one set of credentials (that only needs to be stored by one provider), reducing the likelihood of password re-use and allowing users to focus on having one strong, MFA backed login to manage.
How are attackers hacking this?
Simply put, they are not – attackers are using code to draw an exact replica of your favourite login page over the top of the website you are looking at – security researcher Mr D0x has created a serieis of proof-of-concept templates and posted them on Github to demonstrate how easily this can be achieved: https://github.com/mrd0x/BITB.
Because this is a ‘drawing’ of the login page – not a fake or manipulated version – it can have a perfectly valid looking domain name, the all important padlock symbol indicating a secure connection, etcetera and it is indistinguishable from the real thing:
In Mr D0x’s discussion of the technique, he suggests attackers could use iframes (a method for showing web page elements from a completely different web page “inside” another web page) to capture the submitted username and password, though it could also be submitted via JavaScript presumably (in case you have iframe blocking browser extensions).
How do I detect and avoid this?
There are two easy methods to detect a BitB login screen, both related to the fact that genuine “Login using . . . ” dialogs create a seperate pop-up browser window:
Method 1: Browser Window Count
If you only have one browser open when you login, this is quite effective. When logging and you are prompted to “Login using Facebook” (or whichever platform you choose), try switching between it’s browser window and the main website browser window you are logging in to. The quickest way to do this is with a shortcut (Alt & Tab in Windows, Command & ‘ on a Mac) – if you cannot switch between them, it is because the login window is actually a drawing over the top of the website!
Method 2: Drag the pop-up window
As suggested by Mr Dox, you can also try dragging in login window that has appeared – I recommend upwards – if it cannot be dragged over the top of the browser underneath, it is a BitB login page and should be avoided. For example, a genuine login pop should allow you to drag it like this:
Notice how the login popup is on top of the browser menu and address bar underneath.
How big is the risk?
On it’s own, the Browser-in-the-Browser attack poses little risk because an attacker would need to compromise a target website to be able to use it but when used as an upgrade to a fairly run-of-the-mill phishing campaign (using a cloned website and phishing emails) it becomes much more compelling because users can scrutinise the login popup address bar very closely and everything appears legitimate.
Like this?
If you would like to receive emails about security threats, risks and incidents like this, sign up to our newsletter at: http://eepurl.com/hYM-UP. We will never spam you about products nor pass your details on to anyone else, your information is safeguarded by MailChimp and you can automatically unsubscribe at any time.
