New Imperceptible Phishing Technique – Browser in the Browser (BitB)

New Imperceptible Phishing Technique – Browser in the Browser (BitB)

The Browser in the Browser (BitB). This technique is a different version of the traditional phishing that many users already know how to detect. 

Using the Browser in the attack, cybercriminals create what appears to be a pop-up from a legitimate service. Although false, it has been generated safely within the Browser. How? Adding to the fraudulent page, a fake address bar in the form of an image appears legitimate.

It’s basically like when we take a screenshot of a website and, when we see the image from our gallery, we confuse it with the website itself and clumsily try to click on one of the page’s utilities, which clearly doesn’t take us anywhere. 

Only, in this case, the part in which the credentials are entered is active, sending them to the cybercriminal once they have been joined; this cyber-attack is more design than technique. 

How can we detect these windows if they are similar to real ones?

In order not to fall into the trap of this new technique, we must:

  1. Check that a new window has been opened on the taskbar. If not, it is a false window.
  2. Try to resize the pop-up window. If you can’t, you may be facing a false window. In some, the minimize, expand, and close buttons do work, but if we minimized it, the browser window would also minimize it since it is not an independent window but is within the Browser itself.
  3. Try to move the window. As we have said in the previous point, being inside the Browser itself, if we tried to move it, we could only do it inside and not outside, as in the case of an actual window.
  4. Check that the padlock symbol is real and not an image. If you do it on a dedicated web page, clicking the padlock will show you the SSL certificate information.
  5. Try to change the content of the address bar. It will only be possible if it is a legitimate service.
  6. And, above all, apply common sense. Carefully examining the movements, we make on the web and not acting rashly is essential to avoid this type of deception. In case of doubt, it is always better to refrain from entering our data and consult a professional who can advise us.

Leave a Reply

Your email address will not be published. Required fields are marked *