Background
Recently, the cyber threat actor known as UNC 1151 group was spotted to use the Browser in the Browser (BitB) technique in its campaigns. This technique is used for phishing attacks by displaying a new browser window containing a fake login panel on the visited website. The window is so carefully crafted that it may be difficult for victims to distinguish it from the real one as many websites, such as Twitter, display a similar login window for users who log in with their Google accounts. The actor uses a phishing email to entice victims to access a hijacked website before redirecting them to the target page that phishes for their login credentials. This article analyzes and explores the BitB technique used in these campaigns.
| Group Name | Ghostwriter |
| Group Code | UNC 1151 |
| Tactic Label | Initial access |
| Technique Label | Phishing, browser forgery, BitB |
| Intelligence Source | https://cert.pl/posts/2022/07/techniki-unc1151/ https://cert.pl/posts/2022/04/ataki-browser-in-the-browser/ https://mrd0x.com/browser-in-the-browser-phishing-attack/ |
Attack Technique Analysis
The BitB technique makes phishing pages look more authentic. The APT group has created multiple phishing websites. Some of the login pages are as follows:
As shown in the preceding figures, the URL of the phishing website is displayed on the top of the window, which contains a small login window that shows a legitimate URL link.
In conventional phishing attacks, hackers usually forge URLs that look much similar to real ones to facilitate deception.
In this attack, the perpetrator embedded a small login window in phishing websites by using the BitB technique. The URL displayed in the login window is the real address of the website, misleading victims to believe that this is a legitimate website. In fact, many websites display such pop-up windows for users to type their login credentials. In this sense, the new trick leverages victims’ habit of Internet use, greatly increasing the chances of success.
The Principle of BitB
The BitB attack technique uses the <iframe> tag of HTML to specify an inline frame, which embeds the address of a phishing website. This, together with JavaScript, can create a URL that looks exactly the same as the real one.
Based on the reference documents and related source code, we are able to reproduce the attack process as follows:
Type the forged URL, path, and phishing link in HTML.
As shown in the following figure, a fake phishing URL is displayed in the address bar. Victims are tricked into accessing this phishing website and then redirected to the login page, typing their user names and passwords, thus taking the bait.
Conclusion
For users, it is difficult to distinguish between what is displayed by a browser window and a UI element. When logging into a website, users should remember to check the URL in the outer browser to avoid leaking sensitive account information.
Since the BitB technique is extremely deceptive and easy to implement, there is a strong likelihood of being used by many other hacking groups and advanced persistent threat (APT) groups.
NSFOCUS delivers a holistic suite of security products powered by industry leading threat intelligence. These security products work in concert to protect you from massive volumetric DDoS attacks, Web threats and advanced persistent threats (APTs).
