A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows.
When logging into websites, it’s common to see the option to log in with Google, Microsoft, Apple, Twitter, or even Steam.
For example, the DropBox login form allows you to log in with an Apple or Google account as shown below.
DropBox Login Form
When you click the Sign In buttons in Google or App, a browser single sign-on (SSO) window is displayed, prompting you to enter your credentials and sign in with the account.
This Windows has been stripped down to only display the login form and an address bar with the URL of the login form.
Legitimate login with Google window
Although this address bar is disabled in these SSO windows, you can still use the URL displayed to verify that a legitimate google.com domain is being used to log in to the site. This URL further adds to the trust of the form and makes you feel comfortable entering your credentials.
Threat actors have tried to create these fake SSO windows using HTML, CSS, and JavaScript in the past, but there is usually something wrong with the windows, making them look suspicious.
Introducing Browser in the Browser Attacks
This is where a new “Browser in the Browser (BitB) Attack” comes into play that uses pre-built templates to create fake but realistic Chrome pop-ups with custom address URLs and titles that can be used in phishing attacks. .
Basically, this attack creates fake browser windows in real browser windows (Browser in the Browser) to create persuasive phishing attacks.
The browser in the browser attack templates was created by security researcher mr.d0x, who released the templates on GitHub. These templates include those for Google Chrome for Windows and Mac and dark and light mode variants.
Example BitB Chrome Phishing Windows for Facebook
Source: mr.d0x
mr.d0x told BleepingComputer that the templates are very easy to use in creating compelling Chrome windows to display single sign-on forms for any online platform.
The researcher said redteamers can simply download the templates, edit them to include the desired URL and window title, and then use an iframe to display the login form.
It is also possible to add the HTML for the login form directly in the template, but mr.d0x told BleepingComputer that you need to align the form properly with CSS and HTML.
Kuba Gretzkythe creator of the Evilginx phishing toolkit, tested the new method and showed how it worked perfectly with the Evilginx platform, meaning it can be modified to steal 2FA keys during phishing attacks.
Forging the reverse-proxied Sec-Fetch-Dest value to “document” worked like a charm and it’s beautiful
Evilginx loves it!
Once again kudos to you @mrd0x pic.twitter.com/ODjblvNvho
— Kuba Gretzky (@mrgretzky) March 15, 2022
mr.d0x told BleepingComputer that this is not a new technique and that Zscaler reported that in 2020 it was used by fake gaming sites to steal Steam credentials.
Huh, looks like Steam scams are evolving. Someone tried to phishing me with this really clever fake Steam login page earlier today, which mostly failed because I opened the window on my tiny second monitor. Watch out, everyone. pic.twitter.com/npGbmAqjgH
— TheAppleFreak (@theaplfreak) January 5, 2020
However, now that pre-made templates for fake Chrome windows are available, redteamers can use them to create persuasive phishing sign-in forms to test the defenses of their customers or their own company’s employees.
For those who want to try out the new browser in the browser phishing attack, you can grab the templates from GitHub.
This post New phishing toolkit allows anyone to create fake Chrome browser windows
was original published at “https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-anyone-create-fake-chrome-browser-windows/”