Summary

Browser-in-the-Browser phishing takes advantage of your familiarity with the single sign-on (SSO) process.

SSO options allow you to sign into a site using a big-name credential such as Google, Facebook, Apple, or Microsoft. You click a button to sign on using one of these options, then window opens where you can log in using your big-name password. SSO is gaining in popularity, often being used to verify your identity for everything from comments on news stories to chats on blogs.

Browser-in-the-Browser phishing mimics the second pop-up window with embedded code. Its goal is to harvest your big-name credentials. Attacks using Browser-in-the-Browser methods may contain a lock symbol, official looking logos, and even a fake url box to convince you it is legitimate. It is important to note that in these attacks you can move the window around within the initial window but cannot move it outside the window.

Take Aways

• Keep an eye out for logo differences, legitimate urls, and security icons. Just because they can be spoofed in Browser-in-the-Browser attacks does not mean standard red flags are not worth noting.
• If you want to use SSO, try moving the pop-up window outside the boundary of the original window. If the pop-up window disappears along the edges, it may be Browser-in-the-Browser phishing.
• Use extra caution any time you log in on to an unfamiliar site—even if using a familiar method like SSO. For there to be a faked Browser-in-the-Browser pop-up, you must have landed on an insecure site. Either the company is a sham or (perhaps more likely) the site is a spoofed copy of the real thing.

For more details, go to the original post at The Hacker News.