For the unversed, a Browser-in-the-Browser (BitB) is a new phishing threat that is emerging worldwide. This method creates a fake browser window within the active parent browser window on a phishing resource, making it look like a sign-in pop-up page in order to steal login credentials. This phishing kit was first discovered and shared by a researcher Mr.d0x in March 2022. Using this method, threat actors create fake login forms for Steam, Microsoft, Google, or any other service. In order to analyze the significant threat that the Browser-in-the-Browser technology posed to significant users, Group-IB used an example of a phishing kit located on a resource that mimicked Steam. How Does The Scheme Work? Threat actors send direct messages to prospective victims on Steam and lure them with various appealing offers such as: inviting them to join a team for LoL, CS, Dota 2, or PUBG tournament, or voting for the user’s favorite team, or buying discounted tickets to cybersport events, and more. The links that the threat actors share bring the victims to bait webpages mimicking organizations sponsoring and hosting e-sports competitions. The victims are then requested to log in via their Steam account in order to join a team and play in a competition. “Almost any button on bait webpages opens an account data entry form mimicking a legitimate Steam window. It has a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two-factor authentication,” the researchers wrote in their report. While traditional phishing resources display a phishing data entry form or redirect users to it, this type of attack opens a fake browser window in the same tab to convince users about its authenticity. Users can even switch between 27 webpage interface languages, which are fully functional, and the selection is identical to the one used on the legitimate page. Depending on the user’s browser preferences, the initial language is chosen automatically and loaded on the landing page. Once the victim enters their credentials, it is immediately sent to the threat actors and automatically entered on the legitimate resource. If the data is incorrect, victims see an error message. Further, if the victim has enabled two-factor authentication (2FA), the resource returns a code request. The code is created using a separate application, which sends a push notification to the user’s device. If the authentication is successful, the user is sent to a URL specified by the C2 (command-and-control) server, mostly a legitimate address, so that the chances of the victim realizing that their accounts have been compromised are less. By now, the threat actors would have already received the victim’s stolen credentials. In cases where threat actors hijack Steam accounts of victims, they immediately change their passwords and email addresses, which makes it more difficult for the victims to reclaim control over their accounts. “Unlike phishing-as-a-service schemes, which usually involve developing phishing kits for sale, Steam phishing kits are kept secret. The campaigns are carried out by hacker groups who come together on underground forums or Telegram channels and use Telegram or Discord to coordinate their actions,” the report added. How To Identify A Fake Browser Window Browser-In-The-Browser Attack? Group-IB recommends checking the following to identify a fake browser window in a Browser-in-the-Browser attack:
Compare the header design and the address bar of the pop-up window. In your browser, a fake page can look different from a real one. Pay attention to the fonts and to the design of the control buttons. Check whether a new window opened in the taskbar. If not, the browser window is fake. Try to resize the window. If the window is fake, you will not be able to resize it. In such cases, you will also not be able to maximize it using the corresponding button in the header. Try to move the window. Since a fake pop-up window is limited in size to the browser window, you will not be able to move it over the control elements of the initial window. Minimize the window. If the window is fake, the “minimize” button will close it. Check whether the lock symbol signifying the certificate is just a picture. If the window is fake, nothing will happen when you click on the lock. Authentic browsers display SSL certificate information. A fake address bar is not functional. In some cases, it does not let users input a different URL, and even if it does, users cannot open it in the same window. Fake windows will not be displayed if you disable the execution of JS scripts in the browser settings.
Group-IB has already warned Valve, the developer of Steam about the Browser-In-The-Browser threat. The company has yet to comment on the discovery made by Group-IB.