This is scary real, and it can be modified so much that the average person, maybe even some people like us wouldn’t even know the difference. The scariest one I have come across is a redirect that takes you to your already signed in page, hijacks the cookie session with Microsoft oauth and sends it back to the CNC
People have been making crypto scam pages and using the turtwalet pop up to steal your info its crazy cheat to buy the pages not just one all of the top 100 company in crypto pack is being sold for 200 USD en
So if I understand correctly, the way to detect this is to check if you can drag the OAuth window outside of the parent window. If you can't, it's a fake window. Correct?
Correct. It's a simple DIV container that looks like a new browser window. So, as you correctly understood, you can't drag this login popup on a second monitor.
@@jesjames Well, most of us don't have a second monitor... How do we recognize it? That wasn't actually addressed in the entire video, either... In fact, I've already wasted my time watching a few videos on this topic and they're all useless.
@@mariad6519 I said second monitor to explain the test you could do. On a single monitor you just have to reduce the main browser window and you shouldn't be able to drag it out of that
I think I'm witnessing a phishing revolution here. I am an ICT student and as a part-time job I help the elderly with their computers. I think I should start warning them about this technique... We're going to see this a lot in the future, because I don't see a very simple way how to patch this.
While reading the article on arstech i actually had to think a moment whats the vector of attack here, i mean this is so simple and seamless and yet very effective
I experienced this over a year ago from a phishing site pretending to be Steam with fake popup logins, I found it pretty amusing as someone must have put into a lot of effort to mimic the frontend.
Hey.. Thx alot for the great content. Just stumbled across your channel and subbed 🙂 Like the sound of your keyboard. What keyboard is it, and what keys is on it. Thx again for the content.
It won't fool the automatic form-filling functionality because those are tied to the actual page URL, but it will fool users who aren't using the autofill forms.
One way to be safe is to always provide wrong password in first try - if wrong password is verified successfully, it means it's not a genuine website. And why not make a habit to always enter wrong user name and password on first try.
Yep, that's a good point but for this particular reason, I came up with an idea of using python on the backend to verify the credentials when victim submits the form. This even bypasses 2FA because you can just prompt the user to verify this login hoping he doesn't check the location of login attempt. This way submiting wrong credentials wouldn't work. I think password managers with autofill could help alot.
Users may still copy/paste their password in if they think the password management extension doesn't work on the pop-up window.. but I like the way you think!
@@InfiniteLogins Yep, the password manager should in that case tell them, that the URL is different and that it may be dangerous to fill in the data. I already have part of that idea implemented. I used javascript to send credentials to python flask API. Python then inputs the data to facebook login page using selenium and sends the result back to victims browser. It works, but it takes like 3 seconds each time you pass in the data because of the whole selenium login process.
I don't think so.. It's common for sites to use s for legitimate purposes, so it would be a hard thing to expect the browser to be able to tell the difference.
Could you do a video to show what we could look for in developer mode to detect this? Also could you explain Kellen Green's comments: If the IDP added "Header set X-Frame-Options DENY", I believe this could be prevented.
could you not just make sure the parent browser window is not fullscreen, then attempt to drag the login pop-up outside of the boundaries of the parent window. a normal authentic window would be on top and free to move to any bounds. a fake phishing pop-up is contained and locked inside the boundaries of the parent browser. no?
The X-FRAME-OPTIONS header being set can prevent a site from being called via s, but that header would need to be set on the phishing site that the attacker already controls.. and they hacker wouldn't set that lol. For example, trying to google.com doesn't work, because they have that header set. But I could spin up my own phishing site for Google without the header, and then display it within an .
In a real page, the new page is an actual window that can be dragged even outside the current browser window. The fake one is just an Iframe, u cant drag it outside
Mobile is a good question. The genius behind this is that anybody can make additional templates, have the site check user agent values, and then display the appropriate template back. I bet a mobile friendly one could be created
hi ! so this BITB site login page link if we want to get some cred information, the way to exploit it is require to send the link to victims through email or any medias ? not popped up on the real website. isnt it ?
Yup, the victim would have to be tricked first into going to a fake site. The URL of the fake site would be the victims red flag to notice something is wrong.
The issue for most users will be they will not be familiar with the tools needed to identify this type of attack. This is going to wreak havoc on a lot of people. Unless this can be patched out or existence with some sort of link validation or check, this is going to change the game for bad actors.
He isn't loading the IDP's real page. This is a phishing page, made to look like the real thing down to impersonating the browser address bar. The IDP would not be able to protect you from this.
The X-FRAME-OPTIONS header being set can prevent a site from being called via s, but that header would need to be set on the phishing site that the attacker already controls.. and they hacker wouldn't set that lol. For example, trying to google.com doesn't work, because they have that header set. But I could spin up my own phishing site for Google without the header, and then display it within an .
Seen this in the wild a handful of times. The obvious solution for me is to stop google and such sites prompt to log in, in a popup browser and instead handle it on their main page where you connect applications instead. I think this will be solved as well by the 'passwordless' system microsoft and the likes were working on.
Doesn't seem like much of a useful attack. If you didn't notice that you are on a phishing site to begin with, then making anything look real after that won't matter since the only people falling for this already aren't looking at the URL anyway. It's like worrying about deep fakes. You don't need a sophisticated attack for unsophisticated people.
Don't forget, a lot of mail filtering services obfuscate the email addresses. So on a well constructed email that can pass the filter it can still fool those wanting to check the URL.
@@Ken.- Sure, but for it to work you want to send them to a legit site (that you own) offering some kind of service that they want. Because you own the domain and if you get the SSL cert for it, it looks legit. It's the part where you ask them to log on or create an account that this window pops up.
And even then, the page can fake the little floating window that Chrome and Firefox open when you do that, and they can fake the info inside it. They can't fake the popup once you click to view the certificate details though, I guess
How To: Evilginx + BITB | Browser In The Browser without s in 2024 ruclips.net/video/luJjxpEwVHI/видео.html Just released this new version that makes this work with Evilginx to bypass MFA. This version does not use any s, meaning it completely bypasses framebusters 🤞 (Not trying to self promote under this video, but saw a lot of traffic coming from it to my video and thought I’d leave this comment that might be helpful)
I saw it on Twitter but I just wanted a clear demo and this is it, brilliant technique
very cool, normally the url tells the target that the page is fake but this can work better
This is scary real, and it can be modified so much that the average person, maybe even some people like us wouldn’t even know the difference.
The scariest one I have come across is a redirect that takes you to your already signed in page, hijacks the cookie session with Microsoft oauth and sends it back to the CNC
People have been making crypto scam pages and using the turtwalet pop up to steal your info its crazy cheat to buy the pages not just one all of the top 100 company in crypto pack is being sold for 200 USD en
Ab
So if I understand correctly, the way to detect this is to check if you can drag the OAuth window outside of the parent window. If you can't, it's a fake window. Correct?
Correct. It's a simple DIV container that looks like a new browser window. So, as you correctly understood, you can't drag this login popup on a second monitor.
That's a pretty quick check that it simple enough to train!
@@InfiniteLogins How about don't ever log into a site like "canva" using credentials from another (way more important) site?
@@jesjames
Well, most of us don't have a second monitor... How do we recognize it? That wasn't actually addressed in the entire video, either... In fact, I've already wasted my time watching a few videos on this topic and they're all useless.
@@mariad6519 I said second monitor to explain the test you could do. On a single monitor you just have to reduce the main browser window and you shouldn't be able to drag it out of that
I think I'm witnessing a phishing revolution here. I am an ICT student and as a part-time job I help the elderly with their computers. I think I should start warning them about this technique... We're going to see this a lot in the future, because I don't see a very simple way how to patch this.
Euthanasia
@@Ken.- the elderly or me 😂
Hi there.This is pretty cool phish.Almost anyone would be fooled and phished by this.I would like to see more stuff like this and gophish.
Brilliant technique, thanks for doing the video demonstrating it in action. Great work.
I appreciate you 🙏
Amazing! Great technique! Thanks for sharing via a video!
I appreciate you 🙏
This is why I always go to the direct company website, never opening email links or messages from anywhere else.
I would love to see a video on setting up a phishing website. That would be awesome.
I can't believe no one has thought of this before!
I'm sure others have. This is the first I've seen though
While reading the article on arstech i actually had to think a moment whats the vector of attack here, i mean this is so simple and seamless and yet very effective
Super simple. That's what makes this so cool! But scary..
I experienced this over a year ago from a phishing site pretending to be Steam with fake popup logins, I found it pretty amusing as someone must have put into a lot of effort to mimic the frontend.
Hey.. Thx alot for the great content. Just stumbled across your channel and subbed 🙂 Like the sound of your keyboard. What keyboard is it, and what keys is on it. Thx again for the content.
It's just a basic clicky keyboard. I think brand is "bloody"
Scary. Does this attack trick password managers like LastPass as well?
It won't fool the automatic form-filling functionality because those are tied to the actual page URL, but it will fool users who aren't using the autofill forms.
Exactly!
Great video and informative ! Thanks 👍
Thank you!
Thanks for the share
3:33 that was exactly the purpose of my click, ngl
using it for evil is another thing, but I wanted to know how to do it...
😳 This is worrisome!!
One way to be safe is to always provide wrong password in first try - if wrong password is verified successfully, it means it's not a genuine website. And why not make a habit to always enter wrong user name and password on first try.
Yep, that's a good point but for this particular reason, I came up with an idea of using python on the backend to verify the credentials when victim submits the form. This even bypasses 2FA because you can just prompt the user to verify this login hoping he doesn't check the location of login attempt. This way submiting wrong credentials wouldn't work. I think password managers with autofill could help alot.
Users may still copy/paste their password in if they think the password management extension doesn't work on the pop-up window.. but I like the way you think!
@@InfiniteLogins Yep, the password manager should in that case tell them, that the URL is different and that it may be dangerous to fill in the data. I already have part of that idea implemented. I used javascript to send credentials to python flask API. Python then inputs the data to facebook login page using selenium and sends the result back to victims browser. It works, but it takes like 3 seconds each time you pass in the data because of the whole selenium login process.
@Get advice from Sara I wrote my own.
@Get advice from Sara Phishing bro
Anything the browser creators (Mozilla, MS, Apple) can do to detect this, and disable it or warn the user?
I don't think so.. It's common for sites to use s for legitimate purposes, so it would be a hard thing to expect the browser to be able to tell the difference.
All you have to do is advise users to try pulling a "pop-up" out of the browser ...
Good advice!
I think if the Page will accept any value in this case we know if its fake or not
Good point. Some phishing sites I've seen will actually always say "incorrect password" in hopes to get you to try entering other passwords you use.
It shows a blank page if used on mobile phone, only displays on PC
Could you do a video to show what we could look for in developer mode to detect this? Also could you explain Kellen Green's comments: If the IDP added "Header set X-Frame-Options DENY", I believe this could be prevented.
could you not just make sure the parent browser window is not fullscreen, then attempt to drag the login pop-up outside of the boundaries of the parent window. a normal authentic window would be on top and free to move to any bounds. a fake phishing pop-up is contained and locked inside the boundaries of the parent browser. no?
It is css heder wont fire and wont work
The X-FRAME-OPTIONS header being set can prevent a site from being called via s, but that header would need to be set on the phishing site that the attacker already controls.. and they hacker wouldn't set that lol.
For example, trying to google.com doesn't work, because they have that header set. But I could spin up my own phishing site for Google without the header, and then display it within an .
Can you teach me how to build a phishing page
So scary this method....it works only on PC, right? On mobile phones we are safe?
Hi Team
could you please share the report for this Browser in the Browser (BITB) Phishing Technique
Legal muito bom
Waooo, impressive. But how anybody can prove if the login page is original with this new way of pishing? 🤔
In a real page, the new page is an actual window that can be dragged even outside the current browser window. The fake one is just an Iframe, u cant drag it outside
I see the comments about dragging around the other screen to see if it's fake or not but what happens if you did this on a mobile phone
It wouldn't make as much sense on mobile because the windows are skinned for macOS or Windows
I mean I guess that makes some sense but still can't help but wonder if I went to one of the websites If it would still function the same
Mobile is a good question. The genius behind this is that anybody can make additional templates, have the site check user agent values, and then display the appropriate template back. I bet a mobile friendly one could be created
hi ! so this BITB site login page link if we want to get some cred information, the way to exploit it is require to send the link to victims through email or any medias ? not popped up on the real website. isnt it ?
and if it can be popped up on the real website, how we can identify this type attack ? whats the difference from real login page popped up ?
Yup, the victim would have to be tricked first into going to a fake site. The URL of the fake site would be the victims red flag to notice something is wrong.
The only solution is just to copy each time the link of the popup and paste it and open it in the browser to see if it is valid or not, stay safe.
The issue for most users will be they will not be familiar with the tools needed to identify this type of attack. This is going to wreak havoc on a lot of people. Unless this can be patched out or existence with some sort of link validation or check, this is going to change the game for bad actors.
User awareness needs to evolve as hackers do.
Similar to beef-xss petty theft no?
Imagine This With Autofill 🤯
Hi ! how to send index.html file in email link after editing ?
🤷♂️
If the IDP added "Header set X-Frame-Options DENY", I believe this could be prevented.
He isn't loading the IDP's real page. This is a phishing page, made to look like the real thing down to impersonating the browser address bar. The IDP would not be able to protect you from this.
@@billyjbryant Ooh gotcha we're not even hitting the real IDP.
The X-FRAME-OPTIONS header being set can prevent a site from being called via s, but that header would need to be set on the phishing site that the attacker already controls.. and they hacker wouldn't set that lol.
For example, trying to google.com doesn't work, because they have that header set. But I could spin up my own phishing site for Google without the header, and then display it within an .
Seen this in the wild a handful of times. The obvious solution for me is to stop google and such sites prompt to log in, in a popup browser and instead handle it on their main page where you connect applications instead.
I think this will be solved as well by the 'passwordless' system microsoft and the likes were working on.
This isnt anything new, i've seen method like this long time ago with steam scammers where they link you to a site with "login with steam" option
Nice! It was new to me so I figured I'd share.
It's not working for 2fa
Doesn't seem like much of a useful attack. If you didn't notice that you are on a phishing site to begin with, then making anything look real after that won't matter since the only people falling for this already aren't looking at the URL anyway.
It's like worrying about deep fakes. You don't need a sophisticated attack for unsophisticated people.
Don't forget, a lot of mail filtering services obfuscate the email addresses. So on a well constructed email that can pass the filter it can still fool those wanting to check the URL.
@@ErikRoberts1981 But you still have to go there before you can see the second "real" looking one.
@@Ken.- Sure, but for it to work you want to send them to a legit site (that you own) offering some kind of service that they want. Because you own the domain and if you get the SSL cert for it, it looks legit.
It's the part where you ask them to log on or create an account that this window pops up.
Erik has some solid points here.
Time to teach people to click the lock icon to check if it's legit... but yeah that's a nastly little trick.
And even then, the page can fake the little floating window that Chrome and Firefox open when you do that, and they can fake the info inside it. They can't fake the popup once you click to view the certificate details though, I guess
That's a good idea!
This will still show your url that point to the bitb template so this is a dumb phishing
Lol Now we Will teach user to use inpect opción 🤣🤣🤣
😂
Can you please make a video on how to setup a phishing page
Your name suggests you're not upto something good.
@Vintage B He's a crazy noob.
How To: Evilginx + BITB | Browser In The Browser without s in 2024
ruclips.net/video/luJjxpEwVHI/видео.html
Just released this new version that makes this work with Evilginx to bypass MFA. This version does not use any s, meaning it completely bypasses framebusters 🤞
(Not trying to self promote under this video, but saw a lot of traffic coming from it to my video and thought I’d leave this comment that might be helpful)