The new system adopted by malicious people is that of the so-called browser- in-the-browser or bitb which, as the name suggests, simulates a browser window showing a legitimate domain as well as graphics and texts identical to those of the original portal. As explained by the security researcher mr.dOx, this technique exploits the possibility of accessing sites through third parties or third-party single sign-on (sso) such as through Google, Apple, but also Microsoft or Facebook users.
Content This content can also be viewed on the site it originates from.
This login practice is now used by many users, who for convenience (and laziness) do not pay too much attention to the window that opens to give access permission to the site through the credentials of large suppliers, limiting themselves to a quick look at the graphics and the url. The bitb attack faithfully replicates the sign-in, expertly mixing html and css code, and "It combines the design of the window with an iframe that points to the malicious server hosting the phishing page - explained mr.dOx - making it practically indistinguishable. JavaScript can easily be used to make the window appear on a link or button click, page load and so on. "
Simplifying, it works a bit like the old ATM scams with the bad guys who applied a sort of secondary slot on the legitimate one: here too there is a mask developed ad hoc to appear superimposed and deceive the user. How to notice this attack so well done? As in the case of a bitb that had hit Steam, it was necessary to move the window with the mouse, so as to notice if the malicious mask was present above the legitimate window in the pop-up. Here is the complete technical examination of mr.dOx on this attack.