Silicon Valley: Cybersecurity YouTube channel “Infinite Logins” has revealed in its latest video that hackers have found a new way of “phishing” to steal Internet users’ usernames and passwords. Is called “Browser in the Browser” (BitB).
This video is for cybersecurity experts detailing the “BitB” method with reference to a white hat hacker named “Mr. Dox” (mr.d0x).
According to a report on Infinite Logins, Mr. Docs and Ars Technica, the new method is so clever that even a savvy internet user can be fooled by it.
“Bit B” relies on “third party logins” which are used by millions of websites around the world today.
In third party login you do not need to create a separate account to login to any website but you can login to this website by verifying your existing Google, Facebook or Apple account.
For this purpose, an open protocol called “OAuth” is used which provides automatic, quick and secure verification of Google, Facebook or Apple account etc. for login to any website.
Using the “Bit B” method in Hypertext Markup Language (HTML) using a technique called Cascading Style Sheets (CSS), a pop-up window for third party logins is created that looks exactly like the authentication ( Authorization) looks like a window.
But it is not limited to this, but the URL in the address bar of this window also looks very real like accounts.google.com etc.
Even a well-informed internet user is deceived by this and enters his username and password in this third party login window; and thus he unknowingly provides his most important information to an unknown hacker. ۔
In a related post from Ars Technica, security editor Dan Gooden also gives some tips on how to recognize and avoid “bit B” phishing.
He writes that the login window that appears in “Bit B” phishing is not separate but is a “browser within browser” window that looks like a separate and original login window.
Is this login window real or fake? If it is moving left or right, it is a fake login window because it is apparently formatted with the help of CSS.
Dan Gooden’s second way of recognizing “bit B” phishing is somewhat difficult.
In it you have to right click on the login window and select Inspect, after which you have to take a closer look at the text in the inspection window that appears, where you can save the input username and password. The address of the unknown website will be entered.
This way you will find out for yourself the reality of this fake login window.
Additionally, if you wish, enter the wrong username and password in this login window for testing purposes. If it is real, it will send the wrong username and password message, but the fake login window will accept them as “correct”.
Cybersecurity experts say that until now most phishing attacks have been easy to detect, but the “bit b” method is so complex that users need to be aware of alternative methods of authentication to avoid it. And most consumers don’t do that out of convenience.
According to Mr. Docks, the new method of phishing came to our notice a few weeks ago, but hackers have probably been using it since 2020.