Watch out for browser-in-the-browser attacks

David Strom 23 Mar 2022

Detecting these phishing lures isn’t easy and proves that you can’t be too careful when asked for your account credentials.

A man-in-the-middle (MITM) attack consists of a victim, a website the victim would like contact with (such as a bank), and the attacker. The attacker inserts themselves between the victim and the targeted website with the intention to steal personal information such as login credentials, or bank account and credit card numbers. MITMs have consistently been an active development strategy for hackers.

One MITM variation is known as man-in-the-browser (MITB), where some malware infects your device and displays a phishing copy of your intended website in your browser to trick you into entering your account information.

But there is a third “middleman” attack variation, what one security researcher calls browser-in-the-browser. The idea here is that a hacker can write some JavaScript code to present a pop-up window that is another phishing phony to lure you into typing your account information. It can be difficult to discern whether it is real.

The only real way to be sure is to move the pop-up window around — if information from the window disappears off the main browser screen, or can’t be moved at all, then it is a fake popup that is trying too hard. This kind of fakery isn’t exactly new: another security researcher published something similar three years ago in what he called “the inception bar” attack. This phishing lure counts on users scrolling down the fake popup which then hides the URL bar, which is the moment when the attacker substitutes a fake URL bar to gain a user’s trust.

There is yet another variation on this middleman theme, and that is a series of phishing attacks targeting Counter-Strike: Global Offensive gamers. The goal here is to steal someone’s Steam credentials that can be used to launch other attacks or steal digital assets assigned to a user’s account. Here, the phishing lure is based on constructing a fake chatbox. Again, as with the browser-in-the-browser exploit, you can quickly figure out that it's fake when you try to move the window around, showing that it isn’t a legit popup, but rather an HTML construction that falls outside the main browser window.

Detecting these phishing lures isn’t easy and just proves that you can’t be too careful when asked for your account credentials. One way to try to stop these middleman attacks is to use a more secure browser that will block unknown popups, such as Avast Secure Browser.

Avast Director of Platform Engineering Thomas Salomon says, "Even in the midst of these types of threats, users of Avast Secure Browser can still feel safe. The industry leading anti-phishing solution in Avast Secure Browser ensures that the vast majority of phishing attacks will be prevented. Nevertheless, Avast is constantly working on improved security solutions which help prevent such phishing attacks generically."

--> -->