What is a browser-in-the-browser (BitB) attack?

Users may not notice the difference, making it easy to steal credentials. This technique is harder to detect than using fake websites, and can rapidly have serious consequences. Criminals can gain victims’ trust and then coerce them into entering credentials or other sensitive information into fake login forms.

How does a BitB attack work?

We rely on web browsers to access workloads and collaborate online. However, using the web is far from risk-free. Threat actors can use browser attacks to compromise sessions, turning harmless browser windows into vectors for data and identity theft.

BitB attacks are among the most common and dangerous browser-based threats. They are a social engineering trick that creates fake login windows to steal credentials. They mimic trusted login pop-ups to deceive users.

Cybercriminals use HTML and CSS to mimic a browser window within a webpage. This fake pop-up window resembles a trusted site. It could mimic a company’s single sign-on portal or a reputable service like Gmail or Microsoft Teams.

Users are not redirected to a fake website. Instead, the fake pop-up window looks like it comes from a trusted site. Criminals can visually spoof URLs within the fake login window, making it seem legitimate.

A BitB attack uses HTML, CSS, and JavaScript to fake a login page’s appearance. This includes a false address bar inside the pop-up. However, the actual URL in the browser’s address bar stays the same.

When users interact with this fake login window, criminals can extract their credentials or data for sale or use in secondary attacks. They can build detailed profiles for phishing attacks, leverage user credentials to enter protected networks, or even organize an account takeover.

What makes BitB attacks effective is their ability to exploit trusted security methods. Victims believe they are engaging with a secure sign-on portal but they actually hand their data to malicious actors. This makes it essential to block BitB attacks at source.

BitB attacks in the real world

Before discussing mitigation techniques, let's look at BitB attacks in the wild. That way, we can learn a few signatures of fake login forms and pop-ups—and some things to look for as you access SSO portals.

The first instance of a BitB attack was documented by infosec expert mr.d0x in 2022. They noted the possibility of creating a simulated browser window using HTML/CSS, including a seemingly legitimate URL bar.

Since then, real-world BiTB attacks have proved mr.d0x correct. In 2022, attackers sent fake sign-up invites to gamers on the Steam platform. These attacks reportedly led to the theft of accounts worth up to $300,000.

For example, the Ghostwriter group, a Belarusian threat actor, has added BitB phishing to its credential theft tactics. Attackers used BitB to simulate a login page for passport.i.ua, a popular Ukrainian email provider. The fake pop-up appeared over a compromised website, tricking users into entering credentials. Once submitted, the stolen credentials were sent to a domain controlled by the attackers.

These examples show that BitB attacks represent an increasingly popular phishing technique. Fortunately, there are ways to detect a fake pop-up window and avoid entering credentials or sensitive data.

How to protect against a browser-in-the-browser attack?

BitB attacks challenge security teams because they are so difficult to detect. Usually, a phishing site contains errors in the URL or other signatures that threat detection systems can detect. This is often not the case with BitB attacks. Robust defenses are needed.

Security best practices to deal with browser-in-the-browser attacks include:

Adopt multi-factor authentication (MFA)

BitB attacks try to gather passwords and user names via phony log-in portals. This exposes companies that rely on single login credentials. Attackers only need to collect or brute force credentials to gain network access.

Multi-factor or two-factor authentication is the only solution. MFA/2FA requests unique credentials for every log-in. This could include one-time passcodes sent to phones or biometric scans. Adding an extra factor reduces the value of standard passwords and user names. Gaining illicit access is much harder.

Password managers also help. These tools record the addresses of legitimate sign-on sites and prevent password entry into fake versions.

Implement browser security measures

BitB attacks leverage web technologies like HTML, CSS, and JavaScript to create fake login pop-ups. They use social engineering to trick users into entering credentials. Strengthen your defenses by keeping your browser and extensions updated. Use built-in anti-phishing tools to detect suspicious activity.

Consider adding browser security extensions as well. These extensions monitor security indicators and scan for threats via enhanced URL verification. This potentially alerts users to fake log-in windows.

Practise secure web browsing

Insecure websites are more vulnerable to BitB attacks. Sites without encryption expose their code to attackers, making it easier to introduce a fake pop-up window. Hijacking sites with robust encryption protocols is much harder. Only use sites with the HTTPS prefix and the padlock icon.

It is also advisable to use a comprehensive Content Security Policy (CSP) that limits acceptable content sources a browser can load. For instance, you can block inline scripts and unauthorized frames, or specify trusted domains for image downloads.

A thorough CSP reduces the attack surface by limiting content to trusted sources. While consumer browsers require manual configuration or extensions, enterprise browsers offer centralized CSP management. This lets administrators enforce strict policies across all users for consistent protection.

Implement endpoint protection systems (EPS)

Endpoint security tools scan for malware and viruses that can result from BitB attacks. However, they also block malicious login windows. Use EPS tools equipped with signature detection to identify and block known attack scripts before they load fake portals or phishing sites.

Advanced EPS systems include behavioral monitoring that checks for unusual browser activity. They can also isolate compromised endpoints, ensuring a BitB attack does not cascade through connected network assets.

Audit user privileges

Remember: BitB attackers want to acquire user credentials and gain network access. Attackers with administrative credentials can roam freely across databases and applications, often with the power to extract or delete data.

Avoid this situation by strictly policing user privileges. Downgrade temporary privilege escalations and link user permissions to business roles according to the principle of least privilege. Even if BitB techniques succeed, attackers should have limited network access.

In summary: Protect your network against browser-in-the-browser attacks

Browser-in-the-browser attacks are making the web a more dangerous place to work and share information. These deceptive cyber-attacks can lead to severe consequences, including identity theft, data loss, and account hijacking, which can cripple operations and damage business reputations.

Vigilance is essential. Secure your web browsers with robust authentication, threat detection systems, and security training—and consult expert partners to cut your data security risks.