The BITB attack makes phishing almost undetectable
By MYBRANDBOOK
An unfamiliar phishing technique called browser-in-the-browser (BitB) attack can be exploited to imitate a browser window within the browser in order to trick a legitimate domain, thereby making it possible to stage convincing phishing attacks.
In early 2020, a campaign that leveraged the BitB trick to siphon credentials for video game digital distribution service Steam by means of fake Counter-Strike: Global Offensive websites was discovered.
According to penetration testers and security researchers, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as "Sign in with Google" (or Facebook, Apple, or Microsoft).
While the default behavior is to be greeted by a pop-up window to complete the authentication process when a user attempts to sign in via these methods, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.
Potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting, while this method significantly makes it easier to mount effective social engineering campaigns.
Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others. In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when it is tried to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.
Singapore to remove One-Time Passwords from Bank Accounts
According to the Monetary Authority of Singapore, clients who utilise secur...
Is 375 million Airtel subscribers database breached?
When a hacker claims to have accessed and put up for sale a customer databa...
The government of India intends to construct a single portal f
A single portal will be launched by the Indian government to list all of it...
OpenAI offers GPT-4o, a faster model available to all users at
GPT-4o, a faster and more sophisticated AI model, is made available to all...
ICONS OF INDIA : S KRISHNAN
S Krishnan as the secretary for the electronics and information techno...
Icons Of India : Puneet Chandok
Puneet Chandok is President, Microsoft India & South Asia and is respo...
Icons Of India : B.V.R. Subrahmanyam
A 1987 batch (Chhattisgarh cadre) Indian Administrative Service Office...
RailTel Corporation of India Limited
RailTel is a leading telecommunications infrastructure provider in Ind...
GeM - Government e Marketplace
GeM is to facilitate the procurement of goods and services by various ...
CERT-IN - Indian Computer Emergency Response Team
CERT-In is a national nodal agency for responding to computer security...
Indian Tech Talent Excelling The Tech World - Dheeraj Pandey, CEO, DevRev
Dheeraj Pandey, Co-founder and CEO at DevRev , has a remarkable journe...
Indian Tech Talent Excelling The Tech World - Sundar Pichai, CEO- Alphabet Inc.
Sundar Pichai, the CEO of Google and its parent company Alphabet Inc.,...
Indian Tech Talent Excelling The Tech World - ARVIND KRISHNA, CEO – IBM
Arvind Krishna, an Indian-American business executive, serves as the C...