When I look back at my nascent years in Cybersecurity (circa 2008) it was extremely easy to fool users into divulging their credentials on phishing pages. Almost all the users were naive. Back then, I had thought to myself that the threat of Phishing is short-lived. Eventually, people will be smart enough to know the difference between a phishing page and a genuine login page.
But 15 years later, I am still being proven wrong every day. Phishing still remains one of the top means for cyber fraudsters to get initial access to an organization. How they further exploit this initial access is completely dependent upon the sophistication of the attacker and the sophistication of the defenses implemented in the organization.
How Do You Typically Defend Against Phishing Attacks
When we think about the proposed defense for Phishing, almost everyone will tell you to make your users aware of the risks. Teach them how to identify a Phishing page. That’s fair advice! I get it. People need to be told to be on the lookout for phishing emails and phishing pages. Traditional wisdom says, that these are the things you need to look for when telling a legitimate page versus a Phishing page:
- Check the domain carefully for typos
- Check SSL Certificate or padlock sign
- The look and feel are identical to the original
- There are no typos, glitches, or spacing issues on the page
Let’s Put The Above Guidance In Practice
Following the above guidance, let’s look at a screenshot of the following Google Login Page:
Let’s run through the above checklist to assess whether this is a legitimate login page:
- Check the domain carefully for typos ✅
- Check SSL Certificate or padlock sign ✅
- The look and feel are identical to the original ✅
- There are no typos, glitches, or spacing issues on the page ✅
Checks all the boxes for me! Looks legitimate, doesn’t it?
Google OAuth Login is usually triggered from another website’s login page. We are all pretty familiar with this flow. So, let’s Zoom out a bit and see what the underlying page looks like:
The underlying web app can be anything that interests you. Could be a page for your favorite football club or can be a website offering free educational courses. If it interests you, you would not hesitate to log in with Google. It’s proven to be a safe way to authenticate to numerous websites. The login flow is almost embedded in your neural network. So, you would not see anything out of the ordinary in this flow.
But Hold On! There’s a Tiny Catch!
When you look under the hood of this seemingly innocent page. That is, in technical terms, if you inspect the source of the page, you would be astonished to know that “THE ENTIRE BROWSER POPUP INCLUDING THE TITLE BAR AND ADDRESS BAR IS ACTUALLY BUILT USING HTML”. It’s not a browser window at all!!
WHAT!!!
Welcome to the world of Browser-In-The-Browser (BITB) Attacks. This is a fairly new attack technique (discovered in Mid-2022) being employed by fraudsters to convince your users into divulging their account credentials. This phishing strategy is difficult to detect even for a trained eye.
Modus Operandi of a Phishing Campaign using the BITB attack
- Make an exciting offer that requires the user to Login with an OAuth service such as Google, Twitter, Microsoft, etc.
- Spawn an HTML popup that looks exactly like the browser window when one of these login buttons is clicked
- The window to render is customized based on the platform and the browser that the user is using
- It even checks whether the user is using Light Mode or Dark Mode on the OS to ensure a flawless experience
- Transmit credentials to the attacker’s server once the user submits them
- Done. Initial Access Gained!
So, What’s the Solution? User Education?
Unfortunately, user Education is not going to help on this front. It checks all the boxes that a trained user would look for. There is only one logical solution, and that is to train your users to rely on password managers for auto-filling their passwords on sites. Although a human cannot discern between a real and a fake browser window, password managers can by design. That’s their default behavior. Password managers will not auto-fill credentials on the fake browser window because the login form is rendered in the context of the attacker’s site. Password manager is a great tool, not just because it prevents your users from reusing passwords, but it also helps the user identify malicious sites using the dreaded BITB attack.
Would You Like To Demonstrate This In Your Next Awareness Training
This GitHub repository has a collection of Login Window Templates exploiting BITB on popular browsers: