What is the browser-in-the-browser (BitB) attack?

What is a BitB attack?

A BitB attack is a cyber threat that presents a fraudulent pop-up requiring the SSO credentials. So, instead of providing Facebook or Google passwords to a reliable entity, you are handing them to hackers.

Thanks to the modern capabilities of HTML, CSS, and JavaScript, it has become possible to display anything on a page. It also extends the opportunities for hackers or scammers to deceive users. So, BitB attacks mimic pages from different services (like Google) within their fraudulent sites.

How does the BitB attack work?

BitB attacks go through specific steps and procedures until they can harvest users’ credentials:

1. Hackers set the bait by creating a fraudulent website. It might be a clone of a popular site. However, it could also be unique, likely featuring incredible offers for goods, jobs, or quick money-earning opportunities.
2. If the fraudsters create clones of legitimate services, they will also try to mimic their websites’ addresses. Therefore, instead of Spotify.com, you might enter Spotify.co. BitB attacks could also use DNS spoofing, phishing, or other techniques to lead users to compromised domains.
3. Attackers will try to make the fake website seem legitimate, be it a unique or cloned one.
4. If victims decide to sign up, they will notice options for signing in with Google, Facebook, or another service.
5. If users click on “Sign in with…” options, they will not get redirected to Google or Facebook. Instead, the fake website generates its own login pop-up.
6. BitB attacks can also trick users who hover over buttons or links before clicking them.
7. If users enter their credentials through the fake SSO windows, this information will not reach respectable entities. Instead, it will go straight to hackers behind the fraudulent page.

Is the BitB attack used in the wild?

Yes, some BitB attacks have been noticed in the wild. In 2020, Zscaler reported it as a technique used to steal Steam credentials through several fake CS:GO skin websites.

Google also wrote about similar attempts originating from Belarus. The researchers discovered BitB attacks used to steal credentials from users of domains like passport.i.ua.

The BitB threat is not theoretical. Its nearly undetectable password harvesting makes it highly dangerous. Therefore, users must know how to protect themselves when using single sign-on options.

How dangerous is the BitB attack?

BitB attacks can be devastating if everything goes according to hackers’ plans. The primary condition for the attack to work is that users somehow land on the phishing domain. The attack will be futile if people do not sign up for unknown services or never open email links. However, DNS spoofing can compromise attempts to access legitimate services directly.

As a result, users could visit fraudulent websites without making any mistakes. Therefore, consider employing all possible safety precautions against BitB attacks, like flushing the DNS cache.

How to prevent BitB attacks

In addition to recognizing the simulated browser windows, you can adopt these strategies to safeguard accounts and passwords:

• Keep your credentials in a password manager. These applications are perfect for storing all passwords in a secure location. They can also suggest whether a login pop-up is a part of a BitB attack.
• Set two-factor authentication on all possible accounts. At the very least, apply 2FA to accounts used in a single sign-on method. That includes popular options like Google, Facebook, and Microsoft.
• Be picky about when to use the single sign-on method. SSO might be convenient but do not overuse it. The safer option is going through the standard sign-up process and adding credentials to password managers.
• Double-check the URL of the website you have visited. Before performing anything on visited websites, ensure the address is correct. It should also include the security padlock, indicating a site uses HTTPS.
• Use a VPN to encrypt traffic and block access to suspicious sites. A VPN scrambles online traffic, making it unreadable to entities attempting to snoop.