Phishing has been a prominent cyber threat for decades, stealing the spotlight as the most prevalent attack vector for years, but the latest breed of attacks is more sophisticated and complicated to protect against than ever before. Attackers are always looking for new techniques to bypass security measures and remain undetected by victims. In the past year, Browser-in-the Browser (BITB) attacks have emerged as a very effective technique for evading detection and convincing users to hand over credentials. Zscaler first observed a phishing campaign using this technique back in February of 2020. Early this year, an unaffiliated security researcher who goes by the handle mrd0x on Twitter, took to the social platform to share key technical details revealing how this technique takes advantage of third-party single sign-on (SSO) targeting brands like Apple, Microsoft, and Google. Most commonly, BITB attacks mimic single sign-on (SSO) windows with mostly undetectable fakes of the familiar log-in pop-ups.
Underlining this trend, the Zscaler ThreatLabz team recently observed a new Browser-in-the Browser (BITB) attack impersonating an Indian government website to deliver a sextortion demand with the threat of releasing sensitive information about victims if they refuse to pay. This layered phishing attack appears to be the first of its kind, delivering a pop-up window that states a victim’s browser is blocked due to repeated visits of pornographic websites prohibited by the…
