Ever want to become a phisher? It's easier than ever with a new downloadable kit.
The phishing kit lets anyone download the templates needed to create fake versions of single sign-on login forms — the mini-browser windows that pop up to let users sign into a third-party site with their accounts on services like Google, Apple, or Twitter.
Not only are these phishing browsers easy to create, but they're incredibly tough to spot as well, and might fool even an experienced techie who could easily spot most other phishing schemes.
How it Works
The kit was created by a security researcher, mr.d0x, who has released it on GitHub. The researcher has dubbed the new form of phishing attack a “Browser in the Browser” (BitB) attack.
Templates in the kit include Google Chrome for Windows and Mac, with both dark and light mode versions available.
Phishers will still need to lure a victim onto a fake sign-in page, but once they click the button to sign in, they'll see an image rendered with custom HTML and CSS to resemble a browser pop-up window.
Ooh that’s nasty: Browser In The Browser (BITB) Attack, a new phishing technique that allows stealing credentials that even a web professional can’t detect. #Security https://t.co/cxU83DMEzt pic.twitter.com/m9eYOmq0al
— François Zaninotto 🇺🇦 (@francoisz) March 18, 2022
The URL Check Out
A big part of what makes this trick so convincing is that the URL — the spot that cybersecurity training tells everyone to double-check for spelling errors or hidden custom subdomains — can be faked.
The apparent browser pop-up isn't actually a real pop-up, so the URL can say whatever the phisher wants it to.
How convincing are they? Take a look.
According to mr.d0x, bad actors can download these templates, swap in their own URL and Window title, and display the form with an iframe.
This type of attack isn't just theoretical: Security firm Zscaler exposed a BitB attack in 2020, when scammers used fake Steam login windows to steal and resell users' Steam credentials.
How to Spot a BitB Attack
The latest and greatest phishing trick isn't one hundred percent undetectable, even if it is a sneakier attack than we're used to.
There's one simple tip to try to keep in mind the next time you're prompted to log into a new site with one of your bigger online accounts, whether it's Google, Apple, Twitter, Microsoft or, yes, Steam. You should try to move the browser pop-up window outside of the primary window.
If it's real, you'll be able to, since it's a pop-up window. If it's fake, you won't be able to move it out of the page that it's built within. You'll be able to confirm without a doubt that it's a trick.
But unless you know what to look for, no VPNs in the world can save you from typing in your personal information, so stay on guard.