April 14, 2022
What is a Browser in the Browser Phishing Attack?
The newest kind of phishing attack just got a very sophisticated makeover. Learn how to spot Browser in the Browser (BitB) attacks and what your organization can do to fight them.
What is BitB and How Does it Work?
If you have a Gmail, Facebook, Apple or another popular social media account, you’ve probably grown familiar with a pop-up browser called OAuth protocol. Hundreds of thousands of sites you might use less regularly – for shopping online, for different online tools, etc. – will let you log into their site with your verified account from a tech giant rather than force you to create an account on their website. It’s convenient, and easier than maintaining hundreds of accounts on your own. But it’s also the key to BitB attacks.
OAuth windows are increasingly common. When done correctly, an attacker with enough time on their hands can painstakingly create a BitB spoof that looks familiar to frequent users of a website using OAuth. From there, tricking people into feeding passwords to their major accounts into the BitB window is easy enough.
How to Spot a BitB Attack
Unfortunately, BitB is a technique that’s potentially hard to spot in the wild, especially if you’re in a hurry to sign in. But luckily there are a few weaknesses to BitB that can give it away.
For one, BitB is not a genuine browser window, but an OAuth window is. OAuth protocol is a separate browser that will appear as a small window overlaid on the primary page you are visiting. As a result, the user can drag a genuine OAuth browser over any part of the screen and it will cover any part of primary page. So, let’s say, for the sake of example, you were to sign in to CDW.com (CDW does not use an OAuth protocol). You are on the sign in page – the primary page, in a full screen browser. An OAuth window appears, with all the CDW branding you expect to see. If it’s a legitimate OAuth window, you will be able to drag the window over the main browser’s address bar. A fake window would not be able to cover the address bar, because it is not a separate browser instance, just a fake one built with stolen HTML.
The stolen HTML is also the second giveaway. If you’re comfortable enough with code, you can right click and inspect the OAuth window. If it’s a BitB, the url of the malicious source will be hardcoded somewhere in the HTML.
What Can Organizations do to Fight BitB Attacks?
BitB is a novel technique that was discovered rather recently – Zscaler revealed that the first known widespread BitB attack occurred in 2020 on the online gaming platform Steam. Because it’s so new, and because it’s so different than phishing attempts users have grown used to, the easiest way to defend against BitB is to make your users aware of what it is and how it works. Even savvy internet users don’t make a habit of dragging one browser over another. Give your employees the situational awareness they need to start stress testing OAuth windows on work issued devices.
Make sure your organization is using a strong multifactor solution so that even compromised passwords have an extra layer of security. You can also encourage users to enable multifactor authentication on all their accounts, not just their work ones. If your organization is using single sign on (SSO) solutions for work applications, you can set up the SSO so that it only works behind a VPN, making it harder for spoof windows to pop up.
BitB is a rather sophisticated form of phishing that can trick even seasoned internet users. The single best thing your organization can do to prevent falling prey to a BitB window is to raise awareness among your user base. If your network needs a security checkup, or if your cybersecurity teams need a few extra hands to help educate and train your end users, CDW Amplified Security experts can shore up your defenses.