Browser in the Browser Attack

Written by: anshul vyas

Photo by Richy Great on Unsplash

Introduction

It’s worth noting that cybercriminals are always inventing new ways to deceive users in order to obtain their credentials, secret keys, and other valuable information. In general, these schemes are all aimed at users who aren’t vigilant, regardless of how sophisticated they become. The address of the website where you are being asked to enter your credentials is the first and foremost detail you must pay attention to so that you can avoid phishing. That is almost always the case. However, we would like to tell you about an attack that works differently, with the URL appearing safe and correct to the victim.

In addition, we’ve all seen fake emails and messages that demand immediate attention at least once because of phishing attacks. When it comes to cybersecurity, phishing goes far beyond conventional email practices. Enterprises that fail to take the necessary precautions can suffer a devastating phishing attack. A data breach affects the top line, but the brand’s reputation and trust can be destroyed if the public learns of it. A browser-in-the-browser attack is a type of phishing scam in which sensitive user information is stolen by simulating a web browser window within a web browser.

It leads to identity theft when the user is presented with a fake pop-up window asking for their login credentials for the website in the previous web browser window. In order to protect against these attacks, businesses should ensure stringent security for their employees and consumers. Let’s learn about Browser in-browser attacks.

What is a Browser In The Browser Attack?

If a user chooses the single-sign-on (SSO) option to sign into multiple interconnected applications in a website or web application, a malicious pop-up will appear to collect sensitive information about the user, such as login credentials. In addition, the pop-up window during the sign-in process of a phishing scam differs from that of a Browser in the Browser attack in that it displays any URL that resembles the legitimate one. As a result, cybercriminals simulate a legitimate domain using a web browser window inside a web browser. Users prefer single sign-on (SSO) for staying logged in to multiple interconnected websites or applications. They don’t want to remember long credentials, so this attack mainly exploits that option.

Because users cannot distinguish between a fake domain and a legitimate one once a pop-up window appears, cybercriminals can exploit the single sign-on login preference to their advantage. As a result, a higher risk exists for businesses offering single sign-on across their multiple applications to compromise sensitive consumer information by falling prey to browser attacks targeting these browsers. For businesses that offer single sign-on capabilities to protect their consumer information, they must understand the risks associated with SSO and incorporate rigorous security measures.

What is the best way to tell if the login window is real or fake?

However, there are ways to identify the fake login window, even though it doesn’t look obviously fake. Login windows are browser windows, and they behave like that. They can be maximized, minimized, and moved anywhere on the screen. Fake pop-ups can’t be moved. Likewise, they can cover buttons and images in their boundaries — the browser window — but only inside their confines.

Try the following to verify whether your login form is fake:

1. The browser window from which the form appeared should be minimized. Similarly, if the login box that should be in a separate window also disappears, then it is a phony site. It is important to keep a real window on the screen at all times.
2. Logging in will become difficult if the login window is moved beyond the parent window border. A real window will be able to cross over, but a fake one will not.
3. In these cases, you should not enter your credentials. If the login form behaves strangely, it may minimize with the other window, stop under the address bar, or disappear under it.

A guide to preventing browser-in-browser attacks for businesses

In light of the endless opportunities that SSO offers businesses and consumers, avoiding it isn’t a good idea. Businesses can prevent browser-in-browser attacks and mitigate other associated risks by implementing multiple layers of security along with single sign-on (SSO).

• Multi-Factor Authentication

Multi-factor authentication (or MFA) is a multi-layered security system that verifies the identity of users for login or other transactions.By leveraging multiple authentication layers, the user account will remain secure even if one element is damaged or disabled. An example of multifactor authentication is a smartphone application code, an answer to a personal security question, a code sent to an email address, a fingerprint, etc. By incorporating MFA into your security policy, you will be preventing your users from compromising their identity in the event of a browser-in-browser attack, while ensuring robust information protection for your business. In order to protect against BITB attacks, software and hardware tokens can be used for dual identity verification.

• Risk-Based Authentication

In order to prevent browser-in-browser attacks, risk-based authentication or adaptive authentication is the one-stop shop. Authentication is stringently regulated based on the likelihood of a compromised system. Authentication becomes more restrictive as risk increases. RBA applies different levels of stringency to authentication processes. The user’s identity remains protected even in a high-risk situation like a BITB attack because RBA automatically incorporates another layer of authentication. A cloud-based consumer identity and access management (CIAM) platform can be used to implement risk-based authentication even when users use single sign-on capabilities to restrict unauthorized access.

• Zero Trust Architecture

An enterprise should not automatically trust any device or individual, whether it is within or outside its perimeters, and should strictly verify everything before granting access. Zero trust is a security concept that believes enterprises should not automatically trust anyone or anything. Basically, zero trust works by cutting off all access points until proper verification and trust has been established. In order to gain access to an IP address, device, or storage, the system must verify the identity of the individual or device demanding access.

How to setup Browser in the Browser attack

The cybercriminal first sets up a fake SSO authentication on the malicious website and then gets the target to land on it since this phishing technique revolves around SSO authentication. Once the target signs up using a fake SSO, the attacker stores their credentials in his or her database. Despite appearing complicated in theory, phishing frameworks and web page templates can easily automate the process. A BiTB attack can be performed using templates that replicate Google, Facebook, and Apple login pages. Security researchers have already published these templates.

Conclusion

Internet use can be a scary experience. Although cybercrime remains a never-ending dilemma, you do not need to be intimidated by it if you follow all of the general best practices, have your wits about you, and set up the right security measures. Keeping up to date on scams and hacking techniques will at least keep you up to date.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!