Single Sign-On (SSO), an identity verification method that helps people sign into various online accounts without needing a password, can be spoofed, enabling threat actors to steal login credentials or multi-factor authentication (MFA) key.
A cybersecurity researcher going by the name mr.d0x published a template on GitHub, which uses the Browser in the Browser (BitB) attack method to create a fake browser window within a real one. The template is available for Chrome for both Windows and Mac, for both light and dark themes.
Similar methods have been around in the past, with the main difference now being a widely available template which threat actors can now simply download, edit to their liking, and display using an iframe.
Browser-ception
An SSO prompt usually comes in the form of a pop-up, where people can log into accounts simply by choosing one of the pre-existing accounts they have, either with Google, Facebook, Twitter, or similar.
Speaking to BleepingComputer, mr.d0x said the templates were “simple to use”, and quite convincing. Attackers can also add the HTML for the login form directly into the template, he added, further stating how, in that case, the attackers would need to properly align the form with CSS and HTML.
Some people already tested it out, saying they successfully tweaked it to steal MFA keys.
> NameCheap named top phishing site hosting pick by NCSC (opens in new tab)
> Monzo customers bombarded with phishing attacks (opens in new tab)
> Phishing attacks hit more businesses than ever last year (opens in new tab)
Phishing is one of the most common cyberattack types today. They are essentially a scam attempt, as the victim needs to be the one compromising itself, either by downloading a malicious attachment or visiting a malicious website where they’ll submit their credentials.
Threat actors will often use email, to try and “lure” people into making the mistake, often warning victims about a “problem” that needs to be urgently addressed.
- Check out our list of the best security keys (opens in new tab) right now
Via: BleepingComputer (opens in new tab)