• Perspective
Published on 25 March 2022

BITB, a new phishing technique (almost) impossible to detect


Security researcher mr.d0x recently developed a new phishing technique to demonstrate that verifying a site's URL alone is not always enough to protect oneself. The attack is called "browser-in-the-browser" (BitB) and consists of simulating a browser window inside the real browser in order to spoof a legitimate domain, which makes for very convincing phishing attacks.

How does it work?

This method takes advantage of single sign-on (SSO) options built into websites, such as "Sign in with Google" (or Facebook, Apple or Microsoft). The BitB attack aims to replicate the entire login process by using a mixture of HTML and CSS code to create a browser window from scratch.

Let's imagine that a user wants to log in to an application using Facebook. We can see in the following image that there is no difference between the phishing page and the real page, including the URL displayed:


Example of a phishing page and a real page when connecting to an application via Facebook - credit: mr.d0x

In this case, how can you tell the real from the fake?

Hovering over a URL to determine if it is legitimate is not very effective when JavaScript is allowed. Indeed, the HTML code of a link usually looks like this:

<a href="https://gmail.com">Google</a>

But if an onclick event is added, the "href" attribute will be ignored. Hovering over the link will still display the website of the "href" attribute, but when we click on the link, only the JavaScript code will be executed. We can use this knowledge to make the pop-up window more realistic. An example below:

<a href="https://gmail.com" onclick="return launchWindow();">Google</a>

function launchWindow() {
    // Launch the fake authentication window
    return false; // This will make sure the href attribute is ignored

Since the URL and links appear to be legitimate, there is no way to be sure that the page is real based on its content. The easiest way to discover the deception in the case of a BitB is to check whether the new browser is actually a browser. A browser is a window managed by the computer's graphical interface, which can be moved around the screen, enlarged, etc. If the "browser" cannot be minimised or cannot be moved off the web page, then it is a BitB phishing.


This new attack will greatly increase the risk that a user will enter their login details without knowing whether it is a phishing attack or not. The only way to prevent this is to continue to raise awareness of the issue and make users increasingly wary of emails asking for money or to log in to retrieve an important document.

Author: Maxime Kapitanffy




Article written by
La Minute Cyber