fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Phishing Toolkit Lets Anyone Create Fake Chrome Browser Windows

New Phishing Toolkit Lets Anyone Create Fake Chrome Browser Windows

A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows.

When signing into websites, it is common to see the option to sign with Google, Microsoft, Apple, Twitter, or even Steam.

For example, the login form for DropBox allows you to login using an Apple or Google account, as shown below.

DropBox login form
DropBox login form

When clicking the Login in Google or App buttons, a single-sign-on (SSO) browser window will be displayed, prompting you to enter your credentials and login with the account.

These Windows are stripped down to only show the login form and an address bar showing the URL of the login form.

Also Read: PDPA compliance for the social service sector

Legitimate sign in with Google window
Legitimate sign in with Google window

While this address bar is disabled in these SSO windows, you can still use the displayed URL to verify that a legitimate google.com domain is being used to sign you into the site. This URL further adds to the trust of the form and will make you feel comfortable entering your login credentials.

Threat actors have attempted to create these fake SSO windows using HTML, CSS, and JavaScript in the past, but there is usually something a little off about the windows, making them look suspicious.

Introducing Browser in the Browser attacks

This is where a new “Browser in the Browser (BitB) Attack” comes into play that uses premade templates to create fake but realistic, Chrome popup windows that includes custom address URLs and titles that can be used in phishing attacks.

Basically, this attack creates fake browser windows within real browser windows (Browser in the Browser) to create convincing phishing attacks.

The Browser in the Browser attack templates was created by security researcher mr.d0x, who released the templates on GitHub. These templates include those for Google Chrome for Windows and Mac and dark and light mode variants.

Also Read: Email spoofing: Avoiding them through good cyber hygiene practices

Example BitB Chrome phishing windows for Facebook
Example BitB Chrome phishing windows for Facebook
Source: mr.d0x 

mr.d0x told BleepingComputer that the templates are very simple to use in creating convincing Chrome windows to display single sign-on login forms for any online platform.

The researcher said that redteamers could simply download the templates, edit them to contain the desired URL and Window title, and then use an iframe to display the login form.

It is also possible to add the HTML for the login form directly into the template, but mr.d0x told BleepingComputer that you would need to align the form properly using CSS and HTML.

Kuba Gretzky, the creator of the Evilginx phishing toolkit, tested the new method and showed how it worked perfectly with the Evilginx platform, meaning it could be adapted to steal 2FA keys during phishing attacks.

mr.d0x told BleepingComputer that this is not a new technique and that Zscaler reported it being used by fake gaming sites in 2020 to steal Steam credentials.

However, now that premade templates for fake Chrome windows are available, redteamers can use them to create convincing phishing sign-in forms to test the defense of their clients or their own company’s employees.

For those who wish to try out the new Browser in the Browser phishing attack, you can grab the templates from GitHub.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us