Scam Checker
Back to all scam alerts and blog posts

BitB Phishing: New Browser-in-Browser Attack Steals Logins

Published

  • BitB phishing
  • phishing attack
  • online security
  • MFA bypass
  • scam-alert

Disclaimer: This post is for informational purposes only and does not constitute legal or financial advice. If you believe you have been targeted, contact your bank and local authorities immediately.

Last month, a major US tech company confirmed over 3,500 employee credentials were compromised in a cunning phishing campaign. The culprits leveraged a sophisticated technique: Browser-in-the-Browser (BitB) attacks, designed to trick even security-aware users.

This isn't just another fake login page. BitB phishing creates an illusion so convincing, many people don't realise they're typing their passwords directly into a criminal's hands.

How Does Browser-in-the-Browser Phishing Work?

The attack begins with a standard phishing email or message. It typically contains a link, often disguised as an urgent notification about account security, a password reset, or an expired session for a popular service like Microsoft, Google, or a banking portal. Clicking this link takes the victim to a malicious website.

Once on the malicious page, the real deception starts. Instead of a direct redirect, the attacker's site uses clever HTML, CSS, and JavaScript to render a fake browser window inside the legitimate one. This isn't a new pop-up from your operating system; it's a meticulously crafted visual element appearing directly within your current browser tab.

This fake window is styled to perfectly mimic a genuine login prompt. It features a fake title bar, bogus minimise/maximise/close buttons, and, most critically, a spoofed URL address bar displaying a trusted domain like "login.microsoftonline.com" or "accounts.google.com". The actual phishing form sits within this fabricated browser window.

Criminals use CSS properties like position: absolute and z-index to ensure this fake window overlays the entire page content, making it appear as a distinct, interactive element. JavaScript might even disable scrolling on the main page, reinforcing the illusion of a separate application window. Users, trained to look for familiar login portals, often glance at the URL in this fake pop-up's address bar and see a legitimate domain. They then proceed to enter their credentials, believing they are interacting with a secure, trusted service.

The critical flaw in user defence lies here: the actual URL displayed in your browser's main address bar—the one controlled by your browser, not the website—remains the malicious domain. Victims unknowingly hand over their usernames, passwords, and even Multi-Factor Authentication (MFA) codes directly to the attackers. The fake window might then vanish, or redirect to the real site, leaving the victim none the wiser until their account is compromised. Can you spot the difference under pressure?

Who Is At Risk From BitB Attacks?

Anyone with an online account is a potential target for Browser-in-the-Browser phishing. However, specific groups face heightened risks due to their reliance on visual cues for security.

Users of major cloud services, social media platforms, and online banking are prime targets. If you frequently log into services that use single sign-on (SSO) or require MFA through web-based prompts, you're particularly vulnerable. The attacker's ability to mimic these corporate login pages makes employees a significant risk, especially if they are used to seeing various authentication pop-ups.

BitB attacks are platform-agnostic, affecting users on Windows, macOS, and even Linux desktops. While mobile interfaces might present fewer opportunities for this specific visual deception, the underlying principles can still be adapted. Anyone who doesn't scrutinise the true browser address bar, preferring to trust what appears within a pop-up, is fundamentally exposed.

Red Flags to Watch For

Protecting yourself means understanding the subtle signs of a BitB attack. Always be suspicious of unexpected login requests.

  • 🚩 A login pop-up appearing within your current browser tab, not as a distinct new window launched by your operating system.
  • 🚩 Visual inconsistencies in the "browser window" elements, such as slight misalignments, unusual scrollbars, or unresponsive drag functions.
  • 🚩 The URL in your browser's actual address bar does not match the URL displayed in the fake login window's address bar. This is the ultimate tell.
  • 🚩 Requests for login credentials for a service you're already logged into, especially immediately after clicking a link.
  • 🚩 Unexpected login prompts from emails or messages you weren't anticipating or that seem slightly out of character.
  • 🚩 Subtle typos or domain misspellings in the real browser's address bar – always scrutinise the main URL, not just the one in the overlay.

What Should You Do If You Encounter a BitB Phish?

If you believe you've encountered or fallen victim to a Browser-in-the-Browser phishing attack, immediate action is crucial to mitigate damage.

  1. Do Not Enter Credentials: If you spot the fake window before typing, close the tab immediately. Report the phishing attempt if possible.
  2. Change Passwords: If you did enter your details, immediately change the password for the compromised account. Do this from a known, legitimate login page, not via any link you received.
  3. Strengthen MFA: Enable or re-verify strong Multi-Factor Authentication (MFA) on the affected account. If the attacker also stole your MFA code, change your MFA method if possible.
  4. Check Other Accounts: Review all other online accounts that use the same or similar passwords. Change those passwords too, as attackers often try stolen credentials elsewhere.
  5. Monitor Accounts: Closely monitor the compromised account for any suspicious activity, including unauthorised logins, transactions, or profile changes.

Where to Report

Reporting these sophisticated online security threats helps authorities track down criminals and protect others.

Protect yourself against sophisticated online security threats by using a free scam checker before clicking any link.

External sources and references