BITB Phishing Technique Creates An Animated Window To Steal Your Passwords
According to a recent cybersecurity report, ransomware attacks, having doubled in each of the past two years, are on track to outpace phishing attacks as the number one cause of data compromises. That said, phishing attacks are still king for now and will continue to pose a serious threat even if they are surpassed by ransomware attacks.
Phishing attacks trick users into revealing sensitive information or installing malware by presenting users with messages or web portals that appear to come from legitimate authorities or services. Earlier this year, we covered the prevalence of phishing attacks that take on the guise of the international shipping service DHL.
Phishing attacks like the DHL attacks begin with an email that contains a link to a website that looks almost exactly the same as a real site. However, while the fake site may look legitimate, users can often detect it as fraudulent by looking at the site’s web address. Websites used in phishing attacks usually make use of web addresses that may appear the same as the web address of a real site at a glance, but that don’t hold up under scrutiny. Users can sniff out phishing attempts by looking in the address bar for numbers substituted for letters, as in the case of m1cr0s0ft.com, or other modifications to the web address of a legitimate site.
Phishing attacks trick users into revealing sensitive information or installing malware by presenting users with messages or web portals that appear to come from legitimate authorities or services. Earlier this year, we covered the prevalence of phishing attacks that take on the guise of the international shipping service DHL.
Phishing attacks like the DHL attacks begin with an email that contains a link to a website that looks almost exactly the same as a real site. However, while the fake site may look legitimate, users can often detect it as fraudulent by looking at the site’s web address. Websites used in phishing attacks usually make use of web addresses that may appear the same as the web address of a real site at a glance, but that don’t hold up under scrutiny. Users can sniff out phishing attempts by looking in the address bar for numbers substituted for letters, as in the case of m1cr0s0ft.com, or other modifications to the web address of a legitimate site.
However, a security researcher has discovered a devious technique for thwarting attempts to detect phishing by analyzing the contents of the address bar. Many websites make use of the OAuth protocol, which enables users to login using extant accounts with major tech companies like Apple, Facebook, and Google.
Once users click the “sign in” button, a new browser window opens where users can sign in. This new browser window isolates the sign in process so that the website using OAuth never sees users’ sign in credentials. Isolating the sign in process is a desirable security and privacy measure, but a security researcher has shown that bad actors can mimic this particular isolation technique to hide phishing attacks.
Once users click the “sign in” button, a new browser window opens where users can sign in. This new browser window isolates the sign in process so that the website using OAuth never sees users’ sign in credentials. Isolating the sign in process is a desirable security and privacy measure, but a security researcher has shown that bad actors can mimic this particular isolation technique to hide phishing attacks.
A security researcher who goes by the name mr.d0x recently posted an article demonstrating that it is quite simple to use basic HTML and CSS to replicate the appearance of a separate OAuth browser window. A fake browser window generated in this way can contain the exact web address of a legitimate website, meaning no amount of scrutiny applied to the contents of the address bar will reveal the hoax. That said, a fake window generated by basic HTML and CSS isn’t interactive like a real window, so users can still detect the hoax by attempting to move the window.
However, mr.d0x shows how bad actors can use JavaScript and JQuery animations to generate fake browser windows that are sufficiently interactive to appear quite convincing. mr.d0x dubbed this technique “Browser In The Browser (BITB) Attack, and has created demos of this technique for both Windows and Mac. Educating users to look out for phishing attempts is already hard enough, but these fake OAuth windows make that task even more difficult. Checking to make sure that OAuth opens an actual new browser window is not something most people are used to doing when logging in, but good internet safety practices may now require users to do so.
mr.d0x’s article detailing BITB also shows how bad actors can obscure the real destination of a hyperlink using JavaScript, meaning that hovering your mouse cursor over a hyperlink to determine if the destination is legitimate is not an effective way to detect phishing attacks so long as JavaScript is enabled. Both of the techniques for obscuring phishing attacks presented in the article make a strong case for the usefulness of tools like NoScript that can selectively disable JavaScript elements.
mr.d0x’s article detailing BITB also shows how bad actors can obscure the real destination of a hyperlink using JavaScript, meaning that hovering your mouse cursor over a hyperlink to determine if the destination is legitimate is not an effective way to detect phishing attacks so long as JavaScript is enabled. Both of the techniques for obscuring phishing attacks presented in the article make a strong case for the usefulness of tools like NoScript that can selectively disable JavaScript elements.
