If you’re especially wary, you can spot a faked browser window designed to lure you into thinking it’s the login page you need. The page may not load properly, or the graphics may seem subtly changed — or the URL looks wrong, which should immediately flag anything suspicious. The URL-related advice to help avoid getting phished may not be as strong as it used to be, unfortunately. A researcher recently developed a new form of rendering pop-up login windows that could easily trick even security-conscious users into thinking they’re giving their private data to a legitimate site.
It’s called the browser-in-the-browser (BitB) attack — and the Register reports it started when a researcher wondered if it was possible to render the usually solid security advice to just “check the URL” unreliable. For Chrome users the answer to that question is yes. The problem can arise when you connect to anything using security protocols that offer Google, Microsoft, or Apple authentication via pop-ups. By now, those little windows are ubiquitous and anyone who even thinks of checking the links in the address bar will notice if it doesn’t look legit.
The researcher who illustrated how to construct a phishing lure with BitB told Bleeping Computer that the templates used to perform a BitB attack can create Chrome windows that look like completely normal logins — including the URLs. That’s the big advantage to this method and it’s likely to make phishing way too easy to accomplish for someone who wants to do it. But there are tools that bypass it, including password managers like LastPass, which won’t autofill login data because BitB does not render real forms. Additionally, a phishing victim has to follow whatever lures them to the malicious site in the first place. If you want to make sure a stealthy BitB attack doesn’t ensnare you, just take a moment and think before you ever try to follow any unexpected or unsolicited links found in emails and texts.
Read Next
About The Author
