If you are particularly suspicious, you may spot a fake browser window designed to trick you into thinking this is the login page you need. The page might not load properly, or the graphics might look subtly altered – or the URL might look wrong, which should immediately flag anything suspicious. Unfortunately, the URL-related tips to avoid being phished may not be as solid as they used to be. A researcher recently developed a new form of rendering pop-up login windows that could easily trick security-conscious users into believing they are giving their private data to a legitimate site.

It’s called the browser-in-a-browser (BitB) attack – and the Register reports that it started when a researcher wondered if it was possible to make the security tip untrustworthy. generally solid of just “checking the URL”. For Chrome users, the answer to this question is yes. The problem can occur when you connect to anything using security protocols that offer Google, Microsoft, or Apple authentication through pop-up windows. These little windows are ubiquitous these days, and anyone who even thinks to check the links in the address bar will notice if it doesn’t look legit.

The researcher who illustrated how to build a phishing lure with BitB told Bleeping Computer that the patterns used to perform a BitB attack can create Chrome windows that look like completely normal logins, including URLs. This is the big advantage of this method and it is likely to make phishing too easy for someone who wants to do it. But there are tools around it, including password managers like LastPass, which won’t autofill login data because BitB doesn’t render real forms. Additionally, a phishing victim should track whatever attracts them to the malicious site in the first place. If you want to make sure that a stealthy BitB attack doesn’t trick you, take a moment and think before you try to follow unexpected or unsolicited links found in emails and text messages.

Read more

About the Author