Tuesday, September 27, 2022

What Are Browser in the Browser Attacks?

Browser in the Browser Attacks

Last month, the cybersecurity circle buzzed with a new attack denoted as browser in the browser (BitB) attack. Phishing attacks in general and browser attacks, in particular, have been known for some time now. So what are browser in makes this new discovery so dangerous?

What are Phishing and Man-in-the-Middle Attacks?

Phishing attacks have been looming around for around two decades to the extent that phishing filters have been developed and updated constantly to protect potential victims from these targeted attacks. Its homonymous similarity to the English word fishing describes the real mode of operations of the attack itself, that is, luring the victim with bait before deceivingly stealing important information from the victim. 

Phishing is usually associated with another wide class of attacks denoted as man-in-the-middle attacks. These attacks exploit security vulnerabilities or weaknesses to trick victims into sending their communications and thus potentially share some secret information with a man in the middle rather than the intended receiver of this information. 

The man in the middle can be an actual person or a piece of malicious software denoted as malware. Instead of simply eavesdropping and collecting the information, the attacker can manipulate the conversation in order to steal their data using malicious links, for example. This is precisely what happens with phishing emails that ask recipients to click on a link or fill in some information for evil purposes. Phishing filters usually catch this kind of email. 

To achieve this, the attacker resorts to advanced manipulation techniques, including:

• Spoofing techniques: In such techniques, the attackers alter domain name server (DNS) records that force victims to redirect to fraudulent websites. Another spoofing approach, known as internet protocol (IP) spoofing, involves changing the source address in incoming data packets. The victim would then think it is communicating with a legitimate entity, although it is not. The third type of spoofing attack, known as HTTPS spoofing, creates a secure website that is similar to the site the victim is supposed to communicate with. 

• Hijacking techniques: In such techniques, the hacker forces access to secure systems such as the email of governmental or financial institutions and then targets victims with legitimate deceptive requests to gain access to secure information.

What are Browser Attacks?

Browsers are nothing but software applications that are used to access and browse websites around, making them an indispensable tool for most users worldwide. As a result, most attacks are directed at these applications, as in addition to social media applications, they constitute the best playground to prey on data and sensitive information and acquire unlawful benefits. 

A variant of man-in-the-middle attacks dedicated to browsers is known as a man-in-the-browser attack. Usually, malware and, in particular, a Trojan Horse handles the middleman tasks. The malware is first installed through a previous phishing attack. Once there, the software can modify the browser’s functionality according to the intended purpose. 

These include changing the website appearance, adding additional fields, or, in a more severe offense, performing transactions on behalf of the victim, without its knowledge, to steal some financial assets, for example.

What is Different with Browser in the Browser Attacks?

A new attack recently emerged known as browser in the browser attack. This attack takes advantage of the now popular third-party single sign-on options such as Sign with Google or Facebook accounts instead of the normally tedious process of filling up information to create a new account. The BitB attack tries to replicate the authentication window that appears once this option is selected. 

This is done quickly using a combination of Web programming tools such as HTML, CSS, and JavaScript. Unless the user moves the pop-up window to detect foul play, the victim cannot discern the differences with the original window as nothing appears to indicate otherwise, especially since the URL and most other information appear legitimate. The normal checklist followed by users to check a site’s credibility, such as making sure it is using secure HTTP, or HTTPS, also fails to distinguish the attack in progress.

The serious consequence of the BitB attack is that victims would be submitting the credentials to the attacker-owned website rather than the intended one. Robust multifactor authentication (such as two-step authentication) becomes merely useless as one of the factors is the password is already compromised.

Can Browser in the Browser Attacks be Prevented?

BitB attacks are relatively new in the security space. No guaranteed solution can totally circumvent these attacks. Safe or secure browsers provided by internet security companies can minimize the effects by enforcing strict rules on pop-up windows. 

Password managers are another tool that could minimize the effect of the attack as the created browser is not a real browser which the password manager may not react to and thus will not autofill the required information.

Passwordless multifactor authentication is yet another approach to dilute the BitB attack as users replace passwords with other authentication alternatives to verify their identity. In particular, the Fast Identity Online (FIDO) Alliance has developed a passwordless authentication open standard, the FIDO2, that provides potential opportunities to counter BitB attacks. FIDO2 consists of two entities, a web authorization app that can be incorporated into browsers and a Client to Authenticator (CTAP) protocol that enables hardware-based authentication using USBs, Bluetooth, or NFC.

Summary

Browser in the browser attacks are serious and transparent security breaches that exploit single sign-on authentication schemes currently used in abundance. Although it is hard to catch the attack, several practices can mitigate its effects, including safe browsers and passwordless authentication mechanisms. Enforced anti-phishing solutions will certainly be developed for that purpose. As cybersecurity is a fast-evolving field, the next generation of attacks is just around the corner!


Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity section to stay informed and up-to-date with our daily articles.