Can web browsers protect us, even if it is HTTPS? Maybe yes, but not with the novel BitB attack, which fakes us by a popup SSO window to phish the credentials for Google, Facebook, and Microsoft.

Before clicking wily-nily on a page, check whether the URL shows HTTPS, which indicates the site has secured TLS/SSL encryption. If only it were that easy to avoid phishing sites. In reality, URL reliability has not been absolute for a long time. The homograph attacks swap in similar-looking characters to create new, identical-looking but malicious URLs and DNS hijacking, in which Domain Name System (DNS) queries are subverted.

Now, there is one more way to trick targets into coughing up sensitive info, with a coding ruse that is invisible to the naked eye. The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.d0x, is called a browser-in-the-browser (BitB) attack. The novel method takes advantage of third-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple, or Microsoft.

The researcher utilized Canva as an example: In the log-in window for Canva shown below, the popup asks users to authenticate via their Google account. Very few people would notice the slight differences between the two.

JavaScript can make the window appear on a link, button click, or page loading screen. Also, libraries – such as the popular JQuery JavaScript library – can make the window appear visually appealing or, at least, visually bouncy.

The BitB attack can also flummox those who use the trick of hovering over a URL to figure out whether it is legitimate. If JavaScript is permitted, then the security safeguard is rendered ineffective. The writeup pointed to how HTML for a link generally looks, as in this sample:

If an onclick event that returns false is added, then hovering over the link will continue to show the website in the href attribute. But if the link is clicked, then the href attribute is ignored. This knowledge would make the pop-up window more realistic, providing this visually undetectable HTML trick.

Source: https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/