What Are BitB Phishing Attacks?

Any internet user worth their salt can spot a classic phishing scheme — the fake URL, suspicious link, or unusual email request are all dead giveaways that something fishy is amiss. But a new, much more subtle hacking technique has recently emerged, and even experts admit it’s hard to spot. Enter the BitB phishing scam.

What Is a BitB Phishing Attack?

A browser-in-the-browser (BitB) attack involves a replica of a single sign-on (SSO) authentication window popping up. When you try to create an account on a new site, the faux SSO window opens and prompts you to log in using Facebook, Gmail, or another site that employs OAuth methods.

Unlike traditional phishing attacks, the BitB window perfectly copies the appearance of an actual URL — you won’t see G00gle or Hotmial in the address bar. That’s because it’s not a real window but is instead an illustration made using HTML and CSS. Clever, isn’t it? It’s enough to fool even a seasoned IT professional.

Once you’ve put in your username and password, the hacker steals your login credentials to access your accounts. Since many people use the same credentials for multiple sites, hackers can sweep all your accounts and look for things like credit card numbers or other sensitive data. That’s why 90% of all successful data breaches begin with phishing. It’s almost too easy.

How It Works

First, the hacker creates a unique site with interesting content — this might be a job listing website or streaming service. They then make a fake SSO authentication window when you try to create an account on the site.

To make the phony popups, hackers use templates replicating the appearance of sites like Facebook, Apple, and Google. Essentially, they draw a fake window on the webpage. A phishing framework and a little help from JavaScript and JQuery make this black-hat technique a walk in the park.

How to Detect a BitB Scam

You don’t have to fall victim to the latest phishing scheme. Though it’s subtle, there are ways to thwart an attempted BitB attack.

1. Use a Password Manager

A password manager will automatically fill in your login credentials on a genuine SSO authentication window, but it won’t be fooled into thinking a BitB popup is a legitimate window. The username and password boxes will remain empty.

2. Drag the Login Window Around

If you can’t drag the login window off the main browser window or over the address bar, that’s a sign you’re dealing with a BitB phishing attack. A BitB window will pass behind the address bar rather than over the top of it.

3. Minimize the Main Browser Window

Does the login window also disappear when you minimize the main window? If so, that’s another clue it’s not a legitimate SSO authentication window but a simulation.

4. Install NoScript 

Because this software extension disables JavaScript elements on a page, it can prevent BitB windows from popping up. As a bonus, NoScript also disables Flash, media codecs, web fonts, and WebGL. All executable web content will stay off your screen.

Don’t Take the Bait

Browser-in-the-browser phishing is a clever new scheme, but like all hacking attempts, there are ways around it. The simplest way to spot BitB attacks is to drag the popup window around. If it stays on the page, it’s a fake.

Enabling two-factor authentication on all your accounts is also a good idea. That way, a hacker won’t be able to log in even if they do steal your credentials. Hackers are getting more cunning all the time, but with a little common sense and good cybersecurity practices, you can beat them at their own game.