This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain. ... ng-attack/
For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.
All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.
Hovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted.
With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so)."
Browser In The Browser (BITB) Attack
Browser In The Browser (BITB) Attack
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Re: Browser In The Browser (BITB) Attack
To me, that would seem to be the basic issue, not that a displayed URL could be spoofed.Quite often when we authenticate to a website via Google, Microsoft, Apple etc.
(Seems to me, that Mozilla at least, has denied bugs to not allow that to happen. Possibly for good enough reasons.)
And then there is this part, "The target user would still need to land on your website".
So all in all, I'd think not as "bad" as it might seem.
And that said, I'm sure it could easily catch some.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 SeaMonkey/2.53.12