Watch Out For The Browser-in-the-Browser Phishing Attack
A new approach to phishing attacks was detailed and described in a report published by researchers with Group IB.
The new attack approach is called "browser-in-the-browser" and bears a slight resemblance to the phishing overlays used in some mobile phishing kits. The attacks using the new method were primarily targeted against users of the Steam gaming platform, aimed at gamers who own accounts worth thousands of dollars.
The attack relies on creating a fake Steam credentials login window. The trick and the reason why the attack is so novel and successful is that the spoofed phishing window is doctored to display real URLs of pages that are operated by Steam.
The trick is that the page is simply a render of a page and not the real page. This also allows the threat actors behind the phishing campaign to display the padlock SSL symbol and lend a further false air of legitimacy to the phishing page.
The phishing templates rely on just HTML and JavaScript to operate. Templates for this particular iteration of the browser-in-the-browser attack are not made widely available online and are instead distributed among a relatively small group of threat actors on Telegram.
The fact that the attack can render the legitimate URL of a login page in a browser window and look so convincing is a little scary and only shows how careful users need to be with their online privacy and credentials.