A new phishing technique targets Google Chrome users. Thanks to a fake login page that displays the address of the real one, a hacker can deceive Internet users to obtain the username and password of Microsoft, Google, Apple or other accounts.
One of the most common tips for avoiding attacks by phishing (or phishing) is to always check the address in the browser before entering your password. A new technique called Browser in the Browser (BITB), or browser within a browser, allows hackers to counter this precaution.
A developer by the name of mrd0x posted a kit on GitHub allowing anyone to quite easily set up a BITB attack in the browser Google Chrome. The technique is based on the identification pages which offer to connect with your Google account, Microsoft, Apple, Twitter, etc Select your account type and a new one window opens to identify you.
A technique impossible to spot for most users
The attack generates a fake window containing an almost perfect copy of the identification window. Until then, nothing new, this kind of attack already exists, but usually it is enough to look at the address of the page to realize the deception. This time the author used an iframe element to create a new frame in the page. Thus, the address of the page indicates for example Facebook or Google, but the content was replaced with a fake login form.
The author even explains how to create very simply, with JavaScript, links where the address indicated at overview is not that open in order to deceive even the most cautious. To use the technique, the hacker will have to have already successfully compromised the site in order to set up its own links, but the technique can also be used by dubious sites to get your codes for gmail, Microsoft or whatever. It seems that the only real solution is a password manager that will make the difference.
Interested in what you just read?