Between the sheer number and the increasing sophistication of phishing campaigns, seeing should not automatically be believing when browsing online. One particularly sneaky scam is a browser-in-the-browser (BitB) attack, in which threat actors create a fake browser window that looks like a trusted single sign-on (SSO) login page within a real browser session.
Because we use SSO to access many of our online accounts, we may not think twice before entering usernames and passwords on these spoofed pages. Cybercriminals are counting on this to steal user credentials.
How a browser-in-the-browser attack works
Rather than redirecting users to a spoofed website, threat actors running a BitB attack create a fake pop-up within the page you’re already on (which may either be set up for the attack or compromised in some way). Using HTML, CSS, and JavaScript, they’re able to design a login window that looks exactly like the real one, right down to the lock icon and URL in the pop-up’s address bar.
These fake login windows typically appear in a seamless fashion, such as after a click or redirect you’re expecting to lead to SSO. Obviously, entering your credentials hands them directly to the attackers, who can either use or sell them.
Fraudulent pop-ups often imitates SSO such as Google, Apple, and Microsoft, though they may exploit any login portal. Earlier this year, researchers at Silent Push identified a BitB phishing campaign targeting Steam users, specifically those playing Counter-Strike 2. Gamers saw a fake browser pop-up window displaying the URL of the real Steam portal, making them more likely to enter their credentials without suspicion. The attackers also featured the likenesses of eSports team NAVI to lend credibility.
Signs of a BitB scam
Because threat actors are able to so closely imitate trusted sign-on pages, including using the real domain in the address bar, a visual inspection may not be enough to catch the fraud. Instead, you need to interact with the window in some way.
What do you think so far?
In many cases, a genuine SSO pop-up can be dragged around and away from the browser page it appears on top of, so you can first try to move it elsewhere on your screen. However, some SSO dialogs are static, so if you can’t drag it, try to highlight the URL or click the padlock icon to show certificate details. If these elements are fake, you won’t be able to interact with them at all because the window itself is just an image.
This is also an excellent reason to use a secure password manager to fill your credentials instead of entering them manually. A password manager will work only on the legitimate domain. If it doesn’t autofill, don’t automatically override it—check to ensure the pop-up is real.
You should also have a strong form of multi-factor authentication (MFA) enabled wherever possible, so even if your username and password are somehow compromised, attackers won’t have the additional factor needed to actually access your account. Note that hackers can still phish some forms of authentication—physical keys along with biometrics and passkeys are the most secure options.
