Phishing attacks are becoming more sophisticated daily, taking advantage of victims’ lack of awareness to steal sensitive information. The browser-in-the-browser (BitB) attack is a novel and sophisticated phishing technique that uses a single sign-on (SSO) popup window that mimics a legitimate browser login to steal a user’s credentials. In addition, an attacker can customize the URL shown in the header of the fake login popup to appear as a legitimate link with a padlock symbol. This attack is relatively dangerous as it steals sensitive information and is designed in a way that is hard to detect using HTML, CSS, JavaScript, and social engineering techniques. This paper aims to study and analyze BitB. Also, conduct an experiment on the BitB attack scenario from the attacker and victim’s points of view and recommend countermeasures to detect the attack. The results of BitB attack analysis and experiments show that BitB attacks require basic knowledge of phishing tools and programming languages to be implemented by attackers and achieve their goal of stealing sensitive information that allows them to move on to the next stage of their attacks. Further, this paper will be the first academic paper to study a new type of attack due to the lack of available research and documentation, making it a crucial contribution to the field.

1. Geyik, b. Erensoy and E. Kocyigit, “Detection of Phishing Websites from URLs by using Classification Techniques on WEKA,” Coimbatore, India, 2021.
2. D. Singh, “BITB (browser in the browser)Attack,” InfoSec Write-ups, 14 April 2022. [Online]. Available: https://infosecwriteups.com/bitb-browser-in-the-browser-attack-e2008c405701
3. Lisa, “Browser-in-the-Browser Attack Makes Phishing Nearly Invisible,” Threatpost [Blog], 2022.
4. M. Bian, “Alice in battlefield: an evaluation of the effectiveness of various UI phishing warnings,” 2013. [Online]. Available: https://www.cs.auckland.ac.nz/compsci725s2c/archive/termpapers/725mbian13.pdf. [Accessed 19 September 2022].
5. Jackson, D. Simon, D. Tan and A. Barth, “An evaluation of extended validation and picture-in-picture phishing attacks,” in International Conference on Financial Cryptography and Data Security, 2007.
6. “Novel Phishing Technique Browser-in-the-Browser Attack Targets Government Websites,” June 2022. [Online]. Available: https://cloudsek.com/. [Accessed 9 October 2022].
7. Grustniy, “Browser-in-the-browser attack: a new phishing technique,” Kasperskay, 25 April 2022. [Online]. Available: https://www.kaspersky.com/. [Accessed 16 September 2022].
8. Lebedev and D. Eroshev, “Hackers use the browser-in-the-browser technique to steal Steam accounts,” 13 September 2022. [Online]. Available: https://blog.group-ib.com/steam. [Accessed 21 September 2022].
9. Jain and B. Gupta, “A survey of phishing attack techniques, defence mechanisms and open research challenges,” Enterprise Information Systems, vol. 16, no. 4, pp. 527-565, 2022.
10. -P. W. Group, “Phishing Activity Trends Report, 1st Quarter 2022,” 2022.
11. Chandru, “A Review on Phishing Attacks and Anti-Phishing Browser Plugins,” International Journal of Computer Science & Engineering Technology (IJCSET), vol. 9, no. 5, pp. 51-58, 2018.
12. M. Mohamed, N. Abdelbaki and A. F. Shosha, “Digital forensic analysis of web-browser based attacks,” in The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), USA, 2016.
13. Andress, “Chapter 3 – Authorization and Access Control,” in The Basics of Information Security (Second Edition), Syngress, 2014, pp. 39-56.
14. F. He, T. Zhang, Y. Y. Ma and J. X. Fei, “Protecting User’s Privacy from Browser-Based Attacks,” in Applied Mechanics and Materials, 2014, pp. 941-945.
15. Tommasi, C. Catalano and I. Taurino, “Browser-in-the-Middle (BitM) attack,” International Journal of Information Security, vol. 21, no. Springer, pp. 179-189, 2022.
16. Conti, N. Dragoni and V. Lesyk, “A survey of man in the middle attacks,” IEEE communications surveys, vol. 18, no. 3, pp. 2027-2051, 2016.
17. J. Kumar, W. Hu, X. Li and K. Lal, “Mobile Banking Adeptness on Man-In-The-Middle and Man-In-The-Browser Attacks,” IOSR Journal of Mobile Computing \& Application, vol. 4, pp. 13-19, 2017.
18. Sun, S. Zhu, Y. Zhao and P. Sun, “Let Your Camera See for You: A Novel Two-Factor Authentication Method against Real-Time Phishing Attacks,” arXiv preprint arXiv:2109.00132, 2021.
19. DAS, “What Is a Browser-in-the-Browser Attack and How Can You Protect Yourself?,” makeuseof, 24 June 2022. [Online]. Available: https://www.makeuseof.com/what-is-browser-in-the-browser-attack/. [Accessed 2022].
20. G. Alkhozae and O. . A. Batarfi, “Phishing websites detection based on phishing characteristics in the webpage source code,” International Journal of Information and Communication Technology Research, vol. 1, no. 6, pp. 283-291, 2011.
21. A. Mallik, “Man-in-the-middle-attack: Understanding in simple words,” International Journal of data and Network Science, vol. 2, no. 2, pp. 109-134, 2018.
22. d0x, “Browser In The Browser (BITB) Attack,” 15 March 2022. [Online]. Available: https://mrd0x.com/browser-in-the-browser-phishing-attack/. [Accessed 20 September 2022].
23. “Browser in the Browser” attacks: A devastating new phishing technique arises,” 1 April 2022. [Online]. Available: https://www.techrepublic.com/. [Accessed 19 9 2022].
24. Toulas, “Hackers steal Steam accounts in new Browser-in-the-Browser attacks,” 12 September 2022. [Online]. Available: https://www.bleepingcomputer.com/news/security/hackers-steal-steam-accounts-in-new-browser-in-the-browser-attacks/. [Accessed 20 9 2022].
25. Shariq, “Pyphisher – simple python tool for phishing,” GeeksforGeeks, 21 April 2022. [Online]. Available: https://www.geeksforgeeks.org/pyphisher-simple-python-tool-for-phishing/. [Accessed 10 December 2022].

Citations by Dimensions

Citations by PlumX

Crossref Citations

No. of Downloads per Month

No. of Downloads per Country