New Phishing method can expose your private data.

Esteban Suárez

User mr.d0x has revealed a new Phishing technique that may be affecting us all right now.

Such is the case of the Browser in Browser attack, which, through templates for the sites most used by users, would allow the impersonation of genuine sites to steal their credentials and thereby gain access to private information.

The review of said attack was exposed in an extensive article in which the computer expert demonstrates how to carry out said attack and which can be found at the [following link](https://mrd0x.com/browser-in-the- browser-phishing-attack/) Review of Mr.d0x and the templates for said attack can be downloaded at Github.

How the attack works

When a user authenticates on a website through Google, Apple, Microsoft, etc, a floating window is provided in which the desired authentication must be provided.‌‌

Ventana de autenticación para iniciar sesión dentro de Canvas

The attack occurs by replicating the window through HTML/CSS as if it were the genuine one, combining an iFrame that points to the attacker’s server along with a web design similar to that of the site from which the information is to be obtained. credentials making the attack almost indistinguishable.‌‌

Targeted attack on Facebook

You can easily use JavaScript to make the window pop up when you click a link or button so that very few people are aware that they are being attacked.

Window overlay.

Normally a legitimate call to the authentication server should look like this:

<a href="https://gmail.com">Google</a>

But if JavaScript is enabled, the attack would be done as follows:

 <a href="https://gmail.com" onclick="return launchWindow();">Google</a> function launchWindow()
{
  // Launch the fake authentication window return false;
  // This will make sure the href attribute is ignored
}

Conclusion

With this technique, the user who is the object of the attack will become its victim by typing the password in said window.