Most individuals would be fooled by a new method of stealing their passwords and other sensitive information.
This past week, a hacker going by the handle “mr.d0x” published a blog post explaining an excellent “browser in the browser” attack in which a phoney pop-up login window is created inside a web page.
Instead of being a pop-up, the “window” is an integral component of the underlying website. The pop-up window may be “grabbed” and moved about by clicking the title bar with your mouse pointer, thanks to mr.d0x’s hack.
Even though you won’t be able to resize or scroll the false window, or even move it over the boundary of the actual web page’s window, it still looks very realistic.
As a result, the majority of people will be duped. Even down to the URL in the address bar and the symbol in the title bar, the false pop-up may impersonate an Apple, Facebook, Google, or Microsoft login page.
Here’s how to spot a phoney pop-up window.
Use a password manager that can’t be tricked by a bogus website to protect yourself from this latest scam.
Try to move or scroll the pop-up window, however it’s conceivable that decent JavaScript might recreate these operations if you are using a desktop browser.
If this is the case, move the pop-up window to the side of the browser window and see if it helps. Pop-ups are fraudulent if they don’t reply appropriately. On a mobile browser, though, that may be a little more challenging.
Pop-ups that are perfect
It has previously been attempted to use fake pop-up attacks but they have often been looked bad; however, mr.d0x’s have not. As many websites employ “single sign on” (SSO) services, this new assault takes advantage of the fact that so many of these websites use a third-party login and password instead of creating yet another account and password.
There are hundreds of websites that use SSO services provided by Apple, Facebook, Google, Microsoft, and others. Internal SSO systems are often used by major corporations and other organisations to access business-related websites and services.
You may drastically reduce the amount of login pages you have to create by using SSO. It also increases the value of the passwords you collect. When it comes to criminals, a Facebook password is much more valuable than a login to Billy Bob’s Bar and Restaurant Supply’s website.
According to mr.d0x’s blog post from last week, “replicating the complete window design using basic HTML/CSS is fairly straightforward. It’s very impossible to tell a phishing website from a legitimate one if it has an iframe referring to the malicious server that hosts it.
Anyone – including the evil people — can do it.
SSO sites in Google Chrome on Mac and Windows, in both light and dark mode, have been built by mr.d0x to simulate that experience. The templates for this project are available on GitHub if you’d want to give it a go.
Now, you may wonder, why would someone make such powerful weaponry accessible for free? It seems that mr.d0x works as a penetration tester, a hacker hired by organisations to breach into their networks in order to evaluate their security measures.
Even if these “browser in the browser” themes frighten webmasters, they are very beneficial to pen testers..
Mr. D0x, to the dismay of the rest of us, has now devised a method for successfully phishing the credentials of Apple, Facebook, Google, and Microsoft users. Crooks just need to utilise the template and a simple phishing website to get users to click on their fraudulent emails, texts, or social media postings. From there, they’re in business.