How to Recognize a Browser-Within-a-Browser Phishing Attack
Given the sheer number and increasing sophistication of phishing campaigns, don’t automatically believe what you see online. One particularly insidious type of scam is a browser-within-a-browser (BitB) attack , in which attackers create a fake browser window that appears to be a trusted single sign-on (SSO) page within a real browser session.
Because we use single sign-on (SSO) to access many of our online accounts, we may not think twice about entering usernames and passwords on these fake pages. Cybercriminals rely on this to steal user credentials.
How a browser-within-a-browser attack works
Instead of redirecting users to a fake website, attackers using the BitB attack create a fake pop-up window on an already open page (which can be either specifically designed for the attack or otherwise compromised). Using HTML, CSS, and JavaScript, they can create a login window that looks exactly like the real thing, right down to the lock icon and URL in the pop-up’s address bar.
These fake login windows typically appear unnoticed, for example, after a click or redirect that you expect to lead to single sign-on. Obviously, entering your credentials directly transmits them to attackers, who can either use them or sell them.
Fraudulent pop-ups often mimic single sign-on (SSO) systems from companies like Google, Apple, and Microsoft, although they can use any login portal. Earlier this year, researchers at Silent Push uncovered a BitB phishing campaign targeting Steam users, particularly those playing Counter-Strike 2. Gamers saw a fake browser pop-up displaying the URL of the legitimate Steam portal, increasing the likelihood that they would unknowingly enter their credentials. The attackers also used images of the NAVI esports team to add credibility.
Signs of BitB Scam
Because attackers can very accurately mimic trusted login pages, including using a real domain in the address bar, visual inspection may not be sufficient to detect fraud. Instead, some interaction with the window is required .
In many cases, a genuine SSO pop-up can be dragged and removed from the browser page it’s displayed on, so try moving it to a different location on the screen first. However, some SSO dialog boxes are static, so if you can’t drag one, try highlighting the URL or clicking the lock icon to display the certificate details. If these elements are fake, you won’t be able to interact with them at all, as the window itself is just an image.
This is also a great reason to use a reliable password manager to enter your credentials instead of manually entering them. A password manager will only work with a legitimate domain. If it doesn’t automatically fill in your credentials, don’t automatically overwrite them—make sure the pop-up is genuine.
You should also enable strong multi-factor authentication (MFA) whenever possible, so that even if your username and password are somehow compromised, attackers won’t be able to access your account using an additional factor. It’s worth noting that hackers can still use phishing for some forms of authentication—physical keys, biometrics, and passwords are the most secure options.