Browser In The Browser (BITB) Attack

If i ask you, Which one is real?(1 or 2).

I sure you are shocking by second picture, How this guy able to develop this phishing technique.


As he mentioned the technique is simple but effective.

Let us figure out how it works.!!

I used Mr.d0x template on GitHub for finding out how he able to create pop-up window for legitimate URL, forward us to phishing page.

Just guess, what i found. The windows is divide to 3 parts (Title bar, URL bar, Iframe).

Title-bar and URL-bar created by style.css file, Even SSL lock is picture.

Final part is iframe. It is contain malicious or phishing URL, that maybe the attacker used to stole your credential.

# How can we protect our self from this technique?

  • Check if there any URL does not belongs to main URL or authentication URL.
  • Try to drag it OUTSIDE OF the content area of the page first.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store