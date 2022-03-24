On March 15, 2022, Mr.d0x published on his blog a technique that will make phishing more difficult to detect.

As we well know, social engineering attacks are constantly evolving. In order to lure victims into the bait, attackers stretch their ingenuity in search of more effective and harder-to-detect techniques. The March 15, 2022 a technique was unveiled that gives “a twist” to “traditional” phishing. This technique is described on his blog by a cybersecurity researcher whose AKA is mr.d0x. Here is a link to your account Twitter and to the article in which he describes this new and powerful technique.

This technique is called Browser in the Browser (BITB)a novel technique of phishingwhere the attacker will look for eexploit the attack by taking advantage of integrated single sign-on (SSO) options on different websites. (They are those that show “Sign in with Google” “Sign in with Facebook”, … etc) These SSO options generate a pop-up for us to login, through our third-party account (Google, Facebook, … etc).

In the image we see the normal behavior that happens when we want to log in to Canva using Google. As can be seen, on the Canva screen, the option to continue with different services is offered, and when choosing one, a pop-up window will be displayed, in which you proceed to authenticate.

To do the Browser in the Browser attack, the attacker will replicate a pop-up window similar (and fraudulent) to the one that appears when we log in with SSO and in this way, from the illegitimate login pop-up, steal the credentials. His appearance, can be exactly identical to a legitimate login pop-up (including the URL), which causes this attack is very difficult to detect. In a way, this attack is a phishing within phishing, since the illegitimate pop-up will jump after indicating that we want to log into another illegitimate page provided by the attacker. Roughly speaking, we could say that this attack is similar to “traditional” phishing but by logging in through SSO.

As mrd0x states in his article, the URL is one of the aspects that makes a domain more credible. It is common and in many cases effective to check the URL to see if the page in question is what it appears to be. This was what led him to investigate the search for a technique where the URL is real (apparently) and a victim can enter her credentials with peace of mind, or rather, false peace of mind.

In order to carry out the POC, mrd0x leaves some templates on his Github so that the attack can be tested (DISCLAIMER! In controlled test environments). As you can see, in the code and at the top of the pop-up, both the title of the page, as well as the domain and its path, are variables in which you can put values ​​identical to the legitimate ones, giving the victim a false sense of security and enter your credentials.

HTML code for BITB

From the HTML, you can change the URL very easily, and as you can see, you can put whatever you want. To look for realism, all you have to do is visit a page where the legitimate pop-up is generated and copy the URL to adapt it.

If we want to see the false sense of security that can be had by being victims of this attack, we have the following comparison. This image is a test that mrd0x did to show that with this technique the popups will be identical.

To better understand how the technique works, in the following Infinite Logins video, we can see a detailed POC of how BITB works:

This technique makes it more difficult to detect a case of phishing, and therefore increases its effectiveness. That is why the MFA (Multi factor authentication) gains importance to have it applied. Having more than one authentication factor will save the furniture (once again).

And as always, in these social engineering attacks, awareness and critical thinking is very important in order not to fall into the trap. Precisely here comes the one that apparently on paper is the great limitation of this technique, and it is that to reach this undetectable pop-up window we would have previously had to fall into a suspicious link of the usual kind, that is, the power of this technique you would suffer once you are caught in the trap of the first link. That yes, it is not necessary to trust since it is a novel technique and in which it is necessary to continue investigating to know its behavior in different scenarios.

Awareness!!

mr.d0x article “Browser In The Browser (BITB) Attack”: here

mr.d0x’s Twitter: here

