What is the browser-in-the-browser (BitB) attack?

A browser within a browser.

You’ve been warned not to click on suspicious email attachments designed to steal your information, or not to open sketchy links sent to your LinkedIn inbox that can install malware onto your computer.

But just when you think you’re on top of these classic phishing scams, which attempt to lure you into giving in your personal information or infect your devices with viruses, there’s a new phishing trick on the horizon—called the browser-in-the-browser attack. It’s difficult to spot, and many have fallen prey to it.

We explain what the browser-in-the-browser attack is, and how to protect yourself against it.

What is the browser-in-the-browser (BitB) attack?

The browser-in-the-browser attack exploits the single sign-on method, where you sign in to a third-party website with an existing account you have from services like Google or Facebook, but only this time it’s in a fake sign-in prompt that appears in a separate window.

The username and password you enter aren’t sent to Google or Facebook as you’d expect; they go to the servers of the attackers, who will then use them to access your account and other potentially linked ones.

This scam is a tricky one because the fake sign-in prompt looks exactly the same as a legitimate one.

What is single sign-on (SSO)?

Single sign-on is an authentication method that lets you access multiple services with just one set of credentials. The most common example is when you use your existing Google, Facebook, or Microsoft account to sign up for new services, instead of creating a new profile from scratch.

This method is increasingly popular because it’s convenient and saves time. It is considered secure, but one risk is if your Google or Facebook account is hacked, the hacker would have access to all the linked accounts. And as you’ve seen, your accounts could be vulnerable if you fall for a BitB attack.

What are some examples of BitB attacks?

Like other phishing scams, BitB attackers start with a phishing lure. It can be a fake email pretending to come from a company you’re familiar with, prompting you to sign in with a link in the email, which redirects you to a fake sign-in prompt. Another instance is you’re already browsing an attacker-owned website unknowingly, which can directly show you a fake SSO sign-in window.

How to spot a fake sign-in prompt

It’s challenging to spot a fake sign-in prompt as attackers can program it to look exactly like a legitimate one from Google, Microsoft, or Facebook—displaying the same logo, input fields, and sometimes even the URL. They play on your trust in these reputable services you use every day, getting you to let them slip under your radar and think everything is normal.

If a sign-in prompt appears as a pop-up window, try moving the window. If it can’t be moved and is actually an image, that’s a sign that something is wrong.

Always question the need to sign up or sign in to access a site or service. If it’s not a major website, you might be better off going elsewhere. Scrutinize whether the site you think you’re signing in to is the real site or a fake one dressed up to look like the real one.

Ways to protect yourself against BitB attacks

  • Use a password manager like ExpressVPN Keys on all your devices. ExpressVPN Keys verifies the URL of a site before letting you sign in with a stored password. And when it doesn’t match, ExpressVPN Keys refuses to fill the fields with your credentials.
  • Be selective about using SSO. Do you really need to log in to the site to use it? Some sites offer the option of logging in for their own tracking purposes, but often you can also bypass the prompt (with buttons to “Skip” or similar).
  • Check that the site you’re signing into has the right URL. If it doesn’t, it could be a scam site.
  • Activate two-factor authentication for all your accounts. Even if the attacker gets a hold of your credentials, they won’t be able to access your accounts without your second verification method (such as via an authenticator app).

Read more: ​​How to spot common red flags in phishing emails