Behold, a password scam site can fool even savvy users

Behold, a password scam site can fool even savvy users

beautiful pictures

When we teach people how to avoid falling victim to phishing sites, we often recommend that you check the address bar closely to make sure. do contains HTTPS and it are not contains suspicious domains like or alternative letters like But what if someone finds a way to do password fraud using a malicious website that doesn’t contain these telltale signs?

A researcher has devised a technique to do just that. He calls it BitB, which stands for “browser within a browser.” It uses a fake browser window inside the real browser window to fake the OAuth page. Hundreds of thousands of websites use OAuth protocol to allow visitors to sign in with their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on a new website, visitors can use the one they already have — and the magic of OAuth does the rest.

Exploiting trust

The Canva photo editing site, for instance, gives visitors the option to sign in with any of the three popular accounts. The images below show what the user sees after clicking the “login” button; then the image shows what appears after choosing to sign in with Google password. After the user selects Google, a new browser window with a legitimate address will open in front of the existing Canva window.

The OAuth protocol ensures that only Google receives the user’s password. Canva never sees the login information. Instead, OAuth securely establishes a login session with Google, and when the username and password are checked, Google provides the visitor with a token that grants access to Canva. (Something similar happens when shoppers choose a payment method like PayPal.)

The BitB technique makes use of this scheme. Instead of opening a genuine second browser window connected to a website that supports login or payments, BitB uses a series of HTML tricks and cascading style sheets (CSS) to fake the second window one by one. convincing way. The URL that appears there may show a valid address, complete with a padlock and an HTTPS prefix. Window layout and behavior look exactly like the real thing.

A researcher using the mr.d0x . handle technical description last week. His proof-of-concept mining began with a Web page showing a carefully crafted Canva spoof. In case a visitor chooses to sign in with Apple, Google or Facebook, the fake Canva page opens a new page embedding what look like the familiar look and feel of the OAuth page.

This new site is also a fake site. It includes all the images a person would see when using Google to sign in. This page also has a legitimate Google address displayed in the address bar. The new window acts like a browser window if connected to a real Google OAuth session.

If a potential victim opens a fake page and tries to log in with Google, “it will open a new browser window and access [what appears to be] URL,” mr.d0x wrote in a message. In fact, the fake Canva page “didn’t open a new browser window. It makes it look like a new browser window is opened but it’s just HTML/CSS. Now that fake window sets the URL to, but that’s an illusion. “

Malicious Advertisers: Please Don’t Read This

A fellow security researcher was impressed enough by the demonstration to create a YouTube Videos that shows what the technique looks like more vividly. It also explains how the technique works and how to do it easily.

Browser Phishing (BITB) – Created by mr.d0x

The BitB technique is simple and effective enough that it is surprising that it is not known more. After mr.d0x wrote about the technique, a small group of researchers commented on the possibility that even more experienced Web users would fall for the trick. (mr.d0x provided proof of concept patterns this.)

“This in-browser attack is perfect for phishing,” a developer Written. “If you are involved in malicious advertising, please do not read this section. We don’t want to give you ideas”.

“Oh, that’s annoying: The In-Browser Browser (BITB) attack, a new phishing technique that allows login credentials to be stolen that even a web expert can’t detect,” he said. another person speak.

This technique has been actively used in nature at least once before. Like security company Zscaler report in 2020Scammers used a BitB attack in an attempt to steal the login credentials of the video game distribution service Steam.

While this method is convincing, it has a few weaknesses that give savvy visitors an easy way to spot something amiss. Genuine OAuth or payment windows are in fact separate browser instances that are different from the main page. That means users can resize and move them anywhere on the screen, including outside the main window.

In contrast, the BitB window is not a separate browser instance. Instead, they are images rendered with custom HTML and CSS and contained within the main window. That means dummy pages cannot be resized, fully maximized, or dragged outside the main window.

Unfortunately, as mr.d0x pointed out, these tests can be difficult to teach “because we’re now removing the standard “URL check” advice. “You’re teaching users to do something they never did.”

All users should protect their accounts with two-factor authentication. Another thing experienced users can do is right click on the page that pops up and select “inspect”. If the window is a BitB spawn, its URL will be hard-coded to HTML.

It should come as no surprise to see that the BitB technique has become more widely used, but the reaction mr.d0x received proves that many security defenders are unaware of BitB. And that means many end users don’t either.

Source link


News5s: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button