RISKS
What happened
A fairly simplistic, yet effective, phishing technique termed browser-in-the-browser (or BitB for short) has been causing havoc since early 2022.
The Hacker News reported, “According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft),” in an article published March 21, 2022.
This attack simulates an expected pop-up authenticator by replicating the entire window design within the browser using HTML and CSS, code commonly used for website design. Both the page contents and url are spoofed to resemble a legitimate domain however it is just a realistic mockup of a webpage within the browser window.
“JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc,” said mrd0x in a technical write up on March 15, 2022. “And of course you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery.”
This phishing attack was used against the estimated 120 million users of the popular gaming platform Steam.
“The attack begins with the hackers luring their victims to a fake webpage that contains the phishing resource. The hackers use a variety of tricks to do so, including sending invites to join gaming tournaments for Counter Strike, League of Legends, or DOTA 2 via direct messages,” VPN overview reported in a September 2022 article. “Once on the website, clicking on almost any button triggers the fake Steam login pop-up window.”
Once a user enters their credentials their information is sent to the hacker and the user is redirected to a legitimate website, none-the-wiser.
According to cybersecurity researchers at Group-IB, who detailed their research of the BitB phishing attacks on Steam in a post released September 13, 2022, “In July alone, specialists identified more than 150 fraudulent resources mimicking Steam, a major online gaming platform.”
Included in the same post from Group-IB are suggestions on how to spot a fake browser, including checking the taskbar to see if a new window was opened. Also, fake windows cannot be resized. Try to change the size of the window or maximize to full screen, if unsuccessful, then this is a fake window.
Why is this important?
While you may not be a gamer on Steam, this phishing technique could be applied to any site that uses third-party SSO options.
What does this mean to me?
This illustrates the importance of training and awareness to be wary when presented with a SSO sign-on window to ensure that your employees and third parties can spot the fake SSO sign-on windows when they encounter them. This entails training, social engineering to confirm their training and risk assessments to mitigate potential issues.
APPROACHES
Tactics to Identify Fake Popups
- Try to resize the window. If the window is fake, you will not be able to resize it. In such cases, you will also not be able to maximize it using the corresponding button in the header.
- Minimize the window. If the window is fake, the “minimize” button will close it.
- Check whether the lock symbol signifying the certificate is just a picture. If the window is fake, nothing will happen when you click on the lock. Authentic browsers display SSL certificate information.
- Fake windows will not be displayed if you disable the execution of JS scripts in the browser settings.
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.
SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING