What is a Browser In The Browser (BITB) Attack Type

In this article, we will learn about the Browser In The Browser (BITB) phishing technique, which simulates a browser window in the browser to fake a legitimate domain.

Introduce

For security professionals, the URL is often the most trusted part of the domain. But attacks like IDN Homograph and DNS Hijacking can reduce the trustworthiness of a URL, but not to the extent of making it untrustworthy.

All of this finally got me thinking, is it possible to make the “Check URL” advice less reliable? After a week of brainstorming, I decided that the answer was yes.

Browser In The Browser (BITB) Attack

Pop-up login window

Quite often when we authenticate a website through Google, Microsoft, Apple, etc. we are presented with a pop-up asking us to authenticate. The image below shows the pop-up that appears when someone tries to sign in to Canva with their Google account.

What is a Browser In The Browser (BITB) Attack Type 22

Window scaling

Creating a popup with basic HTML/CSS is pretty straightforward. Combine a window design with an iframe that points to a malicious server hosting a phishing page and is essentially indistinguishable. The image below shows the fake window compared to the real one. Few people will notice the slight difference between these two windows.

What is a Browser In The Browser (BITB) Attack Type 23

JavaScript can easily be used to make a window appear on a link or button click, on page load, etc. And of course you can make the window appear visually appealing through the animations available in libraries like JQuery.

Demo

What is a Browser In The Browser (BITB) Attack Type 24

Customize URL on hover

Hovering over a URL to determine if it’s valid, isn’t very efficient when JavaScript is allowed. HTML with a link usually looks like this:

<a href="https://gmail.com">Google</a>

If the onclick event returning false is added, then hovering over the link will continue to show the web page in the href attribute but when the link is clicked the href attribute is ignored. We can use this knowledge to make the popup look more realistic.

<a href="https://gmail.com" onclick="return launchWindow();">Google</a>

function launchWindow(){
    // Bật cửa sổ giả
    return false; // Đảm bảo thuộc tính href bị bỏ qua
}

Samples are available

The author has created 2 templates for the following operating systems and browsers:

  • Windows – Chrome (Light & Dark Mode)
  • Mac OSX – Chrome (Light & Dark Mode)

These templates are available on Github here.

When downloading the source code, open the index.html file and change some places as follows:

  • XX-TITLE-XX – Display title for the page (e.g. Sign in to your account now)
  • XX-DOMAIN-NAME-XX – The domain name you are spoofing. (eg: gmail.com)
  • XX-DOMAIN-PATH-XX – Domain name path (e.g. /auth/google/login)
  • XX-PHISHING-LINK-XX – Phishing link will be embedded in the iFrame (example: https://example.com)

What is a Browser In The Browser (BITB) Attack Type 25

And this is the result. Also, if you’re using a Windows template, you should update the logo.svg file, the icon of the website you’re spoofing. The default logo is Microsoft’s.

What is a Browser In The Browser (BITB) Attack Type 26

The Windows-DarkMode-Delay folder uses jQuery’s fadeIn() function to add a small delay to the popup when it appears.

Conclude

With this technique we can now improve our cheat games. The target user still needs to visit your website for the popup to be displayed. But once on the website owned by the attacker, users will feel comfortable when they enter their credentials because the URL looks very trustworthy.

Leave a Reply