Browser In The Browser (BITB) Attack
Posted: Fri Mar 18, 2022 7:14 pm
This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain.
https://mrd0x.com/browser-in-the-browse ... ng-attack/
For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.
All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.
(...)
Hovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted.
With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so)."
https://mrd0x.com/browser-in-the-browse ... ng-attack/
For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.
All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.
(...)
Hovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted.
With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so)."