New Browser-in-the-Browser (BitB) Attack Steals User Credentials

New Browser-in-the-Browser (BitB) Attack Steal User Credentials

VTA-00410 – New Browser-in-the-Browser (BitB) Attack Steals User Credentials

Recently, there is new way to trick targets into coughing up sensitive information. This new type of attack is found  to be using phishing technique that simulates a browser window within the browser to spoof a legitimate domain. This method takes the advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” or other social media. When user wants to sign in with third-party single sign-on options, normally a pop-up window will be displayed and ask the user to authenticate. In this case, the BitB attack aims to replicate the entire process using a mix of HTML and CSS code to create an entirely fake pop-up window to ask the user to sign in. However, the target user would still need to land on the attacker website for the pop-up window to be displayed. 


Technical and Business Impact Analysis_Microsoft Teams

Attack Surfaces:
Web Application

Execution, Initial Access

Phishing, User Execution

Active Defense Tactics:

Active Defense Techniques:
Network Monitoring, Security Controls

SuperPRO’s Threat Countermeasures Procedures: 
1. To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself
2. Educate employees and conduct training sessions with mock phishing scenarios
3. Users should be trained to recognize common types of Social Engineering tactics
4. Ensure ‘Turn on e-mail scanning’ is set to ‘Enabled’
5. Enable Multi-Factor Authentication (MFA) on every user account

Contributed by:  3h4d0w

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>