Signing in to sites through Google and more? So watch out for the BITB phishing attack

Posted by

Security expert mr.d0x boasted on his website how phishing attacks could be further improved – this time aimed at logging in to websites through foreign authorities. For example, Google, Facebook, GitHub, Twitter and other OAuth systems.

We all know that. You load the XYZ website and instead of tediously creating an account, click on the button to quickly log in through one of the above-mentioned ecosystems. Mr.d0x’s approach relies on that as soon as a login dialog of a similar authority appears, we usually trust it indefinitely.

Click for larger imageClick for larger image
This is what a legitimate Zerotier login to with your Google Account looks like

He therefore created a demo BITB – Browser In The Browser, which simulates another nested browser window using the usual HMTL, CSS and Javascript inside the existing window. Templates are available for Chrome on Windows and MacOS in both dark and light modes.

Click for larger image
And this is his phishing version using BITB. The secondary form window is really just HTML, CSS and Javascript. Would you put your hand in the fire that you won’t burn?

In this way, the intruder can trigger a situation where another and seemingly trusted browser window appears above the main page, with an address bar in which even a lock icon confirming a trusted domain will light up. You can scroll back and forth through the window, and the classic login form will be displayed inside.

At the same time, it’s all just the attacker’s HTML code, including the copied form from the Google website. So as soon as anyone inadvertently fills in their login details, they are trapped.

Example in practice:

Phishing does not have to break the system – it does not have to attack any specific program and OS. What he attacks is our own psyche and inattention.

No wonder these are more sophisticated phishing practices – the so-called spear phishing – which today open the door to the system by far the most often. We just give them the login names and passwords completely voluntarily, and only then will some real malware attack.

Source link

Leave a Reply

Your email address will not be published.