arstechnica.com
Open in
urlscan Pro
3.23.219.58
Public Scan
URL:
https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/
Submission: On March 22 via manual from US — Scanned from US
Submission: On March 22 via manual from US — Scanned from US
Form analysis 4 forms found in the DOM
GET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>POST https://arstechnica.com/civis/ucp.php?mode=login
<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
<input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
<input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
<input type="submit" value="Submit" class="button button-orange button-wide" name="login">
<label id="remember-label">
<input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword" data-uri="53ec6d3f65bb7762a489b7a13824e81f">Having trouble?</a>
<input type="hidden" name="redirect" value="./ucp.php?mode=login&autoredirect=1&return_to=%2Finformation-technology%2F2022%2F03%2Fbehold-a-password-phishing-site-that-can-trick-even-savvy-users%2F">
<input type="hidden" name="return_to" value="/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/">
<input type="hidden" name="from_homepage" value="1">
</form>POST https://api.bounceexchange.com/capture/submit
<form id="bx-form-1063227-step-1" bx-novalidate="true" method="post" action="https://api.bounceexchange.com/capture/submit" onsubmit="return bouncex.submitCampaignStep(1063227); return false" onreset="bouncex.close_ad(1063227); return false"
tabindex="0" aria-labelledby="bx-campaign-ally-title-1063227"><input type="hidden" name="campaign_id" value="1063227">
<div class="bx-group bx-group-default bx-group-1063227-rQWiaQ5 bx-group-rQWiaQ5" id="bx-group-1063227-rQWiaQ5">
<div class="bx-row bx-row-image bx-row-image-logo bx-row-ICDTsc2 bx-element-1063227-ICDTsc2" id="bx-element-1063227-ICDTsc2"><img src="//assets.bounceexchange.com/assets/uploads/clients/2806/creatives/78dbf26fc8687b650f46e91adf23f5fa.svg"
alt="logo"></div>
</div>
<div class="bx-group bx-group-default bx-group-1063227-9V7DjRk bx-group-9V7DjRk" id="bx-group-1063227-9V7DjRk">
<div class="bx-row bx-row-text bx-row-text-default bx-row-eLuSF9U bx-element-1063227-eLuSF9U" id="bx-element-1063227-eLuSF9U">
<div>Join Ars Technica and</div>
</div>
<div class="bx-row bx-row-text bx-row-text-headline bx-row-nNHNozp bx-element-1063227-nNHNozp" id="bx-element-1063227-nNHNozp">
<div>Get Our Best Tech Stories</div>
</div>
<div class="bx-row bx-row-text bx-row-text-subheadline bx-row-IMQMdcF bx-element-1063227-IMQMdcF" id="bx-element-1063227-IMQMdcF">
<div>Delivered Straight to your Inbox.</div>
</div>
</div>
<div class="bx-group bx-group-default bx-group-1063227-7Y4PFWQ bx-group-7Y4PFWQ" id="bx-group-1063227-7Y4PFWQ">
<div class="bx-row bx-row-input bx-row-input-default bx-row-VYWXDZZ bx-element-1063227-VYWXDZZ" id="bx-element-1063227-VYWXDZZ">
<div class="bx-inputwrap"><input class="bx-el bx-input" id="bx-element-1063227-VYWXDZZ-input" type="email" name="email" placeholder="Email address" aria-required="true"></div>
<div class="bx-component bx-component-validation bx-vtext bx-error-1063227-email" id="bx-error-1063227-email">Please enter above</div>
</div>
<div class="bx-row bx-row-submit bx-row-submit-default bx-row-KmYHkpO bx-element-1063227-KmYHkpO" id="bx-element-1063227-KmYHkpO"><button type="submit" class="bx-button" data-click="submit" data-step-delay="0" data-submit-jump="0"
data-submit-force="0">SIGN ME UP</button></div>
</div>
<div class="bx-group bx-group-micro bx-group-1063227-B6Hxp6I bx-group-B6Hxp6I" id="bx-group-1063227-B6Hxp6I">
<div class="bx-row bx-row-text bx-row-text-sosumi bx-row-PqlU3Cr bx-element-1063227-PqlU3Cr" id="bx-element-1063227-PqlU3Cr">
<div>Will be used in accordance with our</div>
</div>
<div class="bx-row bx-row-text bx-row-text-sosumi-link bx-row-XAmqvwI bx-element-1063227-XAmqvwI" id="bx-element-1063227-XAmqvwI">
<a href="http://www.condenast.com/privacy-policy/" target="_blank" class="" data-click="hyperlink" data-click-report="nothing"><div>Privacy Policy</div></a></div>
</div><input autocomplete="carb-trap" type="input" name="carb-trap" tabindex="-1" aria-hidden="true" class="bx-input bx-carb-trap">
</form>POST https://api.bounceexchange.com/capture/submit
<form id="bx-form-1063227-step-2" bx-novalidate="true" method="post" action="https://api.bounceexchange.com/capture/submit" onsubmit="return bouncex.submitCampaignStep(1063227); return false" onreset="bouncex.close_ad(1063227); return false"
tabindex="0" aria-labelledby="bx-campaign-ally-title-1063227"><input type="hidden" name="campaign_id" value="1063227">
<div class="bx-group bx-group-default bx-group-1063227-VnlQ1Q6 bx-group-VnlQ1Q6" id="bx-group-1063227-VnlQ1Q6">
<div class="bx-row bx-row-image bx-row-image-logo bx-row-wuBSHw3 bx-element-1063227-wuBSHw3" id="bx-element-1063227-wuBSHw3"><img src="//assets.bounceexchange.com/assets/uploads/clients/2806/creatives/78dbf26fc8687b650f46e91adf23f5fa.svg"
alt=""></div>
</div>
<div class="bx-group bx-group-default bx-group-1063227-YytTDny bx-group-YytTDny" id="bx-group-1063227-YytTDny">
<div class="bx-row bx-row-text bx-row-text-default bx-row-73sFtao bx-element-1063227-73sFtao" id="bx-element-1063227-73sFtao">
<div>Thanks!</div>
</div>
<div class="bx-row bx-row-text bx-row-text-headline bx-row-YJNA5ZQ bx-element-1063227-YJNA5ZQ" id="bx-element-1063227-YJNA5ZQ">
<div>You Are Successfully Subscribed</div>
</div>
</div>
</form>Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme Black on white White on black Sign in COMMENT ACTIVITY Sign up or login to join the discussions! Stay logged in | Having trouble? Sign up to comment and more Sign up DECEPTION — BEHOLD, A PASSWORD PHISHING SITE THAT CAN TRICK EVEN SAVVY USERS JUST WHEN YOU THOUGHT YOU'D SEEN EVERY PHISHING TRICK OUT THERE, BITB COMES ALONG. Dan Goodin - 3/21/2022, 6:47 PM Enlarge Getty Images READER COMMENTS 153 with 125 posters participating, including story author SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit When we teach people how to avoid falling victim to phishing sites, we usually advise closely inspecting the address bar to make sure it does contain HTTPS and that it doesn’t contain suspicious domains such as google.evildomain.com or substitute letters such as g00gle.com. But what if someone found a way to phish passwords using a malicious site that didn’t contain these telltale signs? One researcher has devised a technique to do just that. He calls it a BitB, short for "browser in the browser." It uses a fake browser window inside a real browser window to spoof an OAuth page. Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have—and the magic of OAuth does the rest. Enter your email to get the Ars Technica newsletter close dialog Join Ars Technica and Get Our Best Tech Stories Delivered Straight to your Inbox. Please enter above SIGN ME UP Will be used in accordance with our Privacy Policy Thanks! You Are Successfully Subscribed close dialog EXPLOITING TRUST The photo editing site Canva, for instance, gives visitors the option to login using any of three common accounts. The images below show what a user sees after clicking the "sign in" button; following that, the image show what appears after choosing to sign in with a Google password. After the user chooses Google, a new browser window with a legitimate address opens in front of the existing Canva window. Enlarge Enlarge The OAuth protocol ensures that only Google receives the user password. Canva never sees the credentials. Instead, OAuth securely establishes a login session with Google and, when the username and password check out, Google provides the visitor with a token that gives access to Canva. (Something similar happens when a shopper chooses a payment method like PayPal.) Advertisement Enlarge The BitB technique capitalizes on this scheme. Instead of opening a genuine second browser window that’s connected to the site facilitating the login or payment, BitB uses a series of HTML and cascading style sheets (CSS) tricks to convincingly spoof the second window. The URL that appears there can show a valid address, complete with a padlock and HTTPS prefix. The layout and behavior of the window appear identical to the real thing. A researcher using the handle mr.d0x described the technique last week. His proof-of-concept exploit starts with a Web page showing a painstakingly accurate spoofing of Canva. In the event a visitor chooses to login using Apple, Google, or Facebook, the fake Canva page opens a new page that embeds what looks like the familiar-looking OAuth page. mr.dox This new page is also a spoof. It includes all the graphics a person would expect to see when using Google to login. The page also has the legitimate Google address displayed in what appears to be the address bar. The new window behaves much like a browser window would if connected to a real Google OAuth session. If a potential victim opens the fake Canva.com page and tries to login with Google, “it will open a new browser window and go to [what appears to be] the URL accounts.google.com,” mr.d0x wrote in a message. In actuality, the fake Canva site “doesn’t open a new browser window. It makes it LOOK like a new browser window was opened but it’s only HTML/CSS. Now that fake window sets the URL to accounts.google.com, but that's an illusion.” MALVERTISERS: PLEASE DON'T READ THIS A fellow security researcher was impressed enough by the demonstration to create a YouTube video that more vividly shows what the technique looks like. It also explains how the technique works and how easy it is to carry out. Advertisement Browser in the Browser (BITB) Phishing Technique - Created by mr.d0x The BitB technique is simple and effective enough that it’s surprising it isn’t better known. After mr.d0x wrote about the technique, a small chorus of fellow researchers remarked how likely it would be for even more experienced Web users to fall for the trick. (mr.d0x has made proof of concept templates available here.) “This browser-in-the-browser attack is perfect for phishing,” one developer wrote. “If you're involved in malvertising, please don't read this. We don't want to give you ideas.” “Ooh that’s nasty: Browser In The Browser (BITB) Attack, a new phishing technique that allows stealing credentials that even a web professional can’t detect,” another person said. The technique has been actively used in the wild at least once before. As security firm Zscaler reported in 2020, scammers used a BitB attack in an attempt to steal credentials for video game distribution service Steam. Enlarge Zscaler While the method is convincing, it has a few weaknesses that should give savvy visitors a foolproof way to detect that something is amiss. Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page. That means a user can resize them and move them anywhere on the monitor, including outside the primary window. BitB windows, by contrast, aren’t a separate browser instance at all. Instead, they’re images rendered by custom HTML and CSS and contained in the primary window. That means the fake pages can’t be resized, fully maximized or dragged outside the primary window. Unfortunately, as mr.d0x pointed out, these checks might be difficult to teach “because now we move away from the ‘check the URL’” advice that’s standard. “You’re teaching users to do something they never do.” All users should protect their accounts with two-factor authentication. One other thing more experienced users can do is right click on the popup page and choose "inspect." If the window is a BitB spawn, its URL will be hardcoded into the HTML. It wouldn’t be surprising to find that the BitB technique has been more widely used, but the reaction mr.d0x received demonstrates that many security defenders aren't aware of BitB. And that means plenty of end users aren’t, either. ARS VIDEO UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO READER COMMENTS 153 with 125 posters participating, including story author SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES Sponsored Stories Average Retirement Savings By Age: Are You Normal? SmartAsset We are selling off our remaining magic metal windmills. acsthper Most American Chrome Users Didn't Know This (Do It Now) guard.io [Photos] Giraffe Woman Removes Neck Rings After 5 Years, This Is How She Looks 12Up Banned Movies That You Will Never See Again Definition 27 New Sci-Fi and Fantasy Shows You Really Need to Watch Thrillist Recommended by TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Cookies Settings The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices