A novel phishing technique called browser-in-the-browser (BitB) attacking has been uncovered by an Infosec researcher in mid-March, which uses simulated browser windows and other authentication service providers to steal login credentials.
BitB attacks act as an extension to existing clickjacking or user-interface redressing that alters the appearance of browsers and web pages to trick users to bypass security controls. With this technique, an entirely fabricated replica is created – a user thinks they are seeing the real popup window, but it’s just faked within the page.
“Very few people would notice the slight differences between the two,” according to the report. “Once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website.”
Julia O’Toole, Founder and CEO of MyCena Security Solutions, says that businesses should remove the danger presented by BitB phishing attacks by ensuring that employees can no longer create, view or type passwords to access the company files, apps and systems. This amounts to taking back access control and removing the risks of human error from the network access process.
“To the untrained eye, which is likely to be the majority of workers, these types of phishing attacks are dangerous yet impossible to spot. All it takes is for one unsuspecting employee to make a mistake and it compromises the entire network.”
“Attacks like these aren’t for quick cash payouts. Actors will sit inside your system and wait to cause the most damage. All the while, the user continues working without realising they’ve unwittingly given their credentials away.”
“Additionally, this type of attack has been utilised in the past. In 2020, cybercriminals used similar BitB techniques on the video game digital distribution service Steam to gain access to consumer credentials. Whilst this may cause damage to individuals, what we’re seeing now is a more aggressive assault on an organisational level.”
While some have recommended using a password manager and Single Sign-On tools to circumvent the problem, as they automatically input passwords without falling for the replica windows, this still presents major issues.
“As we’ve seen recently, centralising multiple passwords behind a manager master password does nothing to prevent access fraud. It only centralises access information for hackers in a breach scenario. This was the case of the Lapsus$ group who, after infiltrating Okta’s network, were able to easily find an Excel document filled with Lastpass master passwords to access their customers' domain administrator accounts.”
“Password managers and Single Sign-on tools may provide a surface layer of convenience for users, but in the event of a breach also offer their company’s keys to the kingdom on a silver platter. Instead, access segmentation and encrypted passwords distribution is a more effective solution that completely removes the potential threat of human error or fraud from the equation and safeguards access integrity.”
“Additionally, businesses might see the appeal in doubling down with multi-factor authentication (MFA) methods as a precaution. But their initial loss of access control means that not even MFA can guarantee the legitimacy or integrity of access. Cyber attackers have found many ways to infiltrate those as we’ve seen recently through known vulnerabilities in MFA protocols. Relying on MFA merely postpones an inevitable breach of access, rather than securing your cybersecurity and cyber resilience outright.”
“Cyber attackers are more intelligent and relentless when it comes to modern-day phishing techniques. Relying on traditional security approaches is no longer enough.”
“Instead, returning access control, segmentation and security to the organisational side ensures that employees non longer need to create, see, or type passwords. Using a safe path from receiving, storing to using encrypted credentials, means they don’t have to worry about leaking them accidentally to cyber actors.”