Browser In The Browser (BITB) Attack
The content of this page is directly retrivied from the original publication.
March 15, 2022
This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain.
For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.
All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.
Quite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window that asks us to authenticate. The image below shows the window that appears when someone attempts to login to Canva using their Google account.
Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two.
If an onclick event that returns false is added, then hovering over the link will continue to show the website in the
hrefattribute but when the link is clicked then the
hrefattribute is ignored. We can use this knowledge to make the pop-up window appear more realistic.
<a href="https://gmail.com" onclick="return launchWindow();">Google</a>
// Launch the fake authentication window
return false; // This will make sure the href attribute is ignored
I’ve created templates for the following OS and browser:
- Windows - Chrome (Light & Dark Mode)
- Mac OSX - Chrome (Light & Dark Mode)
With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).