The BITB attack makes phishing almost undetectable
By MYBRANDBOOK
An unfamiliar phishing technique called browser-in-the-browser (BitB) attack can be exploited to imitate a browser window within the browser in order to trick a legitimate domain, thereby making it possible to stage convincing phishing attacks.
In early 2020, a campaign that leveraged the BitB trick to siphon credentials for video game digital distribution service Steam by means of fake Counter-Strike: Global Offensive websites was discovered.
According to penetration testers and security researchers, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as "Sign in with Google" (or Facebook, Apple, or Microsoft).
While the default behavior is to be greeted by a pop-up window to complete the authentication process when a user attempts to sign in via these methods, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.
Potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting, while this method significantly makes it easier to mount effective social engineering campaigns.
Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others. In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when it is tried to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.
Google Pay has added "Open Wallet" shortcut
With the introduction of the "Open Wallet" shortcut, Google Pay has impro...
TRAI targets to finalise National Broadcast Policy by May-end
The Telecom Regulatory Authority of India will finalise the National Broa...
TAC Security becomes Cyber Security Assessor for the App Defen
The cybersecurity company, TAC Security has been selected as a key Cyber ...
InterGlobe’s Rahul Bhatia and C.P. Gurnani together announce
In a move that is set to transform the AI landscape, Rahul Bhatia, Group M...
DELL TECHNOLOGIES INDIA PVT. LTD.
HP INDIA SALES PVT. LTD.
MICROMAX INFORMATICS LTD.
ATRIE TECHNOLOGY PVT. LTD.
Technology Icons Of India 2023: Ashish Kumar Chauhan
Ashish works as the CEO of the National Stock Exchange (NSE). He is al...
Technology Icons Of India 2023: Som Satsangi
With more than three decades in the IT Sector, Som is responsible for ...
Technology Icons Of India 2023: B.V.R. Subrahmanyam
B.V.R. Subrahmanyam belongs to Andhra Pradesh. He is a 1987-batch IAS ...
Leading company into fertilizers in the country
NFL is a dynamic organization committed to serve the farming community...
New defence PSUs will help India become self-reliant
MIL, India’s biggest manufacturer and market leader is engaged in Pr...
GSTN aims to integrate indirect tax ecosystem on a shared IT infrastructure
Goods and Services Tax Network (GSTN) has built Indirect Taxation plat...
SATCOM INFOTECH PVT. LTD.
Satcom Infotech Pvt. Ltd is a distribution houses in security in India...
FORTUNE MARKETING PVT. LTD.
Delhi based Fortune Marketing, An ISO 9001:2008 company, distributes ...
ACCERON INFOSOL PVT. LTD.
It is a leading value added distributor in the IT security space and h...