New Phishing Kit Makes It Easy to Fake Chrome Browser Windows

There's a relatively new phishing attack to know about, and for once, checking the URL won't save you. Here's what will.

Ever want to become a phisher? It’s easier than ever with a new downloadable kit.

The phishing kit lets anyone download the templates needed to create fake versions of single sign-on login forms — the mini-browser windows that pop up to let users sign into a third-party site with their accounts on services like Google, Apple, or Twitter.

Not only are these phishing browsers easy to create, but they’re incredibly tough to spot as well, and might fool even an experienced techie who could easily spot most other phishing schemes.

How it Works

The kit was created by a security researcher, mr.d0x, who has released it on GitHub. The researcher has dubbed the new form of phishing attack a “Browser in the Browser” (BitB) attack.

Templates in the kit include Google Chrome for Windows and Mac, with both dark and light mode versions available.

Phishers will still need to lure a victim onto a fake sign-in page, but once they click the button to sign in, they’ll see an image rendered with custom HTML and CSS to resemble a browser pop-up window.

The URL Check Out

A big part of what makes this trick so convincing is that the URL — the spot that cybersecurity training tells everyone to double-check for spelling errors or hidden custom subdomains — can be faked.

The apparent browser pop-up isn’t actually a real pop-up, so the URL can say whatever the phisher wants it to.

How convincing are they? Take a look.

Facebook: phishing example

BitB Chrome phishing windows for Facebook. Image via mr.dox.

According to mr.d0x, bad actors can download these templates, swap in their own URL and Window title, and display the form with an iframe.

This type of attack isn’t just theoretical: Security firm Zscaler exposed a BitB attack in 2020, when scammers used fake Steam login windows to steal and resell users’ Steam credentials.

How to Spot a BitB Attack

The latest and greatest phishing trick isn’t one hundred percent undetectable, even if it is a sneakier attack than we’re used to.

There’s one simple tip to try to keep in mind the next time you’re prompted to log into a new site with one of your bigger online accounts, whether it’s Google, Apple, Twitter, Microsoft or, yes, Steam. You should try to move the browser pop-up window outside of the primary window.

If it’s real, you’ll be able to, since it’s a pop-up window. If it’s fake, you won’t be able to move it out of the page that it’s built within. You’ll be able to confirm without a doubt that it’s a trick.

But unless you know what to look for, no VPNs in the world can save you from typing in your personal information, so stay on guard.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Adam is a writer at and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals