Phishing is a form of internet fraud where you are lured to a fake website. You can often tell from the URL that something is wrong, but not always. There is in fact a new phishing trick that can imitate a window within your browser to simulate a legitimate domain. Without strange URL.
This is a so-called browser-in-the-browser attack, abbreviated BitB. An anonymous hacker using the pseudonym mr.d0x recently posted a detailed report online about this new phishing technique.
The trick is especially dangerous if you regularly log in to multiple websites with one account. Many websites offer the possibility, for example, to log in to the relevant website via a Google, Microsoft or Facebook account. That looks safer and it is also easy: you do not have to create a new account every time. A pop-up window often appears, with which you log in to a Google Account or Facebook account.
It is these windows that are currently being faked. They are barely distinguishable from legitimate login windows. The URL and login page don’t look bad and in the search bar of your browser you will see a lock through which you should expect that you are connected to a safe site. But nothing is less true.
This is how you protect yourself
How do you avoid falling victim to such a BitB attack? As with many other spam and phishing tricks, logical thinking goes a long way. You can only fall into the trap of a BitB attack if you have already visited a shady website. If you are on a legitimate website, a hacker cannot suddenly present you with a malicious login window.
It is therefore important that you remain critical of links that you come across on the internet or in your email. This prevents you from ending up on unreliable websites and thus falling into the BitB trap.
Password manager offers protection
Then there’s the protection that password managers provide. You may fall for the almost perfectly counterfeit login windows, but your password manager won’t. You will not really find a form on the fake login screen. Your password manager cannot enter login details for you. That’s a sign that something isn’t right. A password vault is therefore an extra layer of protection against the new phishing trick.
Don’t have a password manager yet? We tested 16 password managers for you in another article and also give you 7 tips to find the best password manager.
â€