Browser in browser attack allows stealing credentials from unsuspecting victims

Browser-in-browser attack allows stealing credentials from unsuspecting victims

An information security specialist known by the nickname mr.dox has posted on GitHub the code of a phishing tool that enables a browser-in-browser attack. It can be used to create fake windows on Chrome browser to intercept login credentials from various online resources.

Image source: Markus Spiske / Pixabay

Image source: Markus Spiske / Pixabay

Currently, many sites can be logged in not only with a separate login and password, but also through already authorized accounts in social networks, as well as Google, Microsoft, etc. A fake window with a form for entering credentials appears in front of the user on the resource. It displays the correct URL for the page but cannot be edited as it is designed to convince the victim that the page is legitimate. Accordingly, sensitive information falls into the hands of attackers after entering credentials on such fake page.

Note that hackers have repeatedly tried to create fake authorization windows in the past, but mostly they were quite easy to distinguish from legitimate ones. This time, attackers can create windows that are almost indistinguishable from real ones. To do this, you just need to edit the URL and window name in the published templates and also create the appropriate iframe to display the window. The HTML code of the authorization window form can be embedded in the template.

Image source: CNews

Image source: CNews

According to the source, the technique of such attacks is nothing new. In the past, attackers have successfully used this tactic to set up fake websites where players can steal props.



About the author

Robbie Elmers

Robbie Elmers is a staff writer for Tech News Space, covering software, applications and services.

Add Comment

Click here to post a comment