A browser-in-the-browser (BitB) attack - Cyber Advisory

A Browser-in-the-Browser (BitB) attack is a sophisticated cyber threat involving injecting malicious code into a victim's web browser.
By
CTM360 Team
November 13, 2023
1 mins read
A browser-in-the-browser (BitB) attack - Cyber Advisory
background-graphics

What’s on this page

Overview
CTM360’s observation of the trend
Recommendations

A Browser-in-the-Browser (BitB) attack is a sophisticated cyber threat involving injecting malicious code into a victim's web browser.

Threat Overview:

This code creates a secondary browser within the victim's existing browser, allowing the attacker to manipulate web content, intercept network requests, and potentially gain control over the victim's browser and system. Understanding the BitB attack is crucial for organizations to develop effective mitigation strategies.

screenshot 2023 11 13 at 11 58 48 am

   Once the website is opened, it appears as shown above (this will be the first step).

screenshot 2023 11 13 at 12 02 39 pm

After enforcing the Full-screen display mode, only the inner browser will appear with the customized URL by the attacker.

Real-Case Scenarios of BitB Attacks:

CTM360 recently observed ongoing attack campaigns utilizing the BitB technique targeting ministries and government websites, specifically the interior ministries.

In the previously mentioned scenario, the official website of MOI Singapore remains unaffected and secure. However, the threat actor is carrying out a phishing attack by creating a fake website. Within this fraudulent site, instead of using traditional phishing methods, such as fake forms or malicious content, the attacker employs a fake browser interface within the phishing site, which appears to be the genuine site for MOI. When the victim accesses the site, they are presented with a full-screen display mode of this embedded browser, which tricks them into submitting their sensitive information.

Attack Methodology

To execute a Browser-in-the-Browser (BitB) attack, the attacker employs tactics to lure the user into visiting a malicious or compromised website. This website contains a phishing page hosted on the attacker's server. The phishing page utilizes JavaScript code to create a simulated browser window, simulating the appearance and behavior of a legitimate browser window. Within this simulated window, various types of fraudulent activities can be displayed.

Moreover, the simulated window displays a URL of the attacker's choice, such as https://accounts.google.com or https://login.microsoftonline.com. This is achieved by modifying the simulated address bar of the pop-up window using JavaScript. It may appear to the user that the specified URL is loaded within the pop-up window, but in reality, it is only shown as an image or text. The user may not notice the absence of SSL certificates or other security indicators typically present in a genuine browser window due to the full-screen display mode, which blocks the appearance of the main website’s URL due to the full-screen display model.

If the user falls victim to the BitB attack and enters their login credentials into the fake login form, the information is sent to the attacker's server via an AJAX request or a concealed form submission. Subsequently, the attacker gains access to the user's account on the legitimate service or proceeds with additional malicious activities such as identity theft or account takeover.

Potential Threats

Browser-in-the-Browser (BitB) attacks pose several potential threats and risks to victims. Here are some of the common threats associated with BitB attacks:

  • Data Theft: Attackers can exploit BitB attacks to steal sensitive information, such as login credentials, financial details, personal data, or intellectual property. This stolen data can be used for identity theft, financial fraud, or sold on the dark web.
  • Account Takeover: By manipulating the victim's browser and intercepting login credentials, BitB attacks can lead to unauthorized access to the victim's online accounts. Attackers may gain control over email accounts, social media profiles, online banking, or other services, enabling them to impersonate the victim or perform malicious activities.
  • Malware Distribution: BitB attacks can be used as a vector to distribute malware onto the victim's system. The secondary browser created by the attacker can be used to download and execute malicious software, potentially leading to further compromise of the victim's device and sensitive data.
  • Phishing and Social Engineering: Attackers can utilize BitB attacks to create convincing phishing scenarios. By simulating legitimate websites or services, they trick users into entering their login credentials or other sensitive information, which the attacker then captures and exploits.

Mitigation

The BitB attack is a tricky and risky phishing technique that can trick even careful users and bypass typical security measures. However, there are steps you can take to protect yourself from this attack:

  • Be cautious of full-screen prompts: Exercise caution if a website unexpectedly opens a full-screen prompt or overlay. Take a moment to assess the situation and ensure that you are interacting with a legitimate website before entering any sensitive information.
  • Be vigilant about website URLs: Pay close attention to the URL before entering any sensitive information. Check for any discrepancies or variations in the domain name or spelling that may indicate a phishing site.
  • Pay attention to the details of the pop-up window, such as the size, position, appearance, and behavior of the elements. If something looks off or unusual, you should close the window and report it.
  • Use a security-focused browser extension that can detect and block such phishing attempts automatically.
  • Keep your browser up to date with the latest security patches and update whenever prompted by your browser.
  • Make sure you have 2FA enabled for all of your critical services.

CTM360 is actively monitoring this phishing campaign and taking the necessary action by disrupting the attack and suspending the malicious site/domain. If you encounter any of such malicious sites, please report it to business@ctm360.com.

References

Recent Blogs

Overview:

CTM360 has discovered a new variation of scam tactics using Telegram Mini Apps and social media ads in a Ponzi-style scheme. Scammers impersonate financial institutions, leveraging Meta Ads, Telegram Ads, and fake social media accounts to lure victims into fraudulent investment platforms.

These platforms, embedded within Telegram, present a polished interface that mimics legitimate trading sites. Victims are enticed with promises of high returns, referral bonuses, and exclusive investment opportunities. Once inside, they are encouraged to deposit cryptocurrency, believing they are engaging in real trading. However, withdrawals are consistently blocked when users attempt to cash out.

CTM360 Observations

Resource Development

Telegram Mini App

  • A Mini App in Telegram is a lightweight web application that runs within the Telegram interface, allowing users to interact with services like payments, games, or trading platforms without leaving the app.
  • Scammers embed these fake websites inside Telegram Mini Apps, making them accessible within Telegram itself.
  • Users interact with the fake platform through Telegram bots keeping them within the scam ecosystem.

Scammers also create fake websites with dedicated domains that mimic real platforms, solely for fraudulent trading, deposits, and referral scams.

Trigger

Scammers lure victims with false promises of high, risk-free returns, financial incentives like bonuses and referral rewards, and fake branding to appear credible. They create urgency with limited-time offers and countdowns to pressure quick investments.

Distribution

Scammers spread the fraud across multiple platforms:

  • Meta & Telegram Ads – Paid ads and channels drive users to fake trading platforms.
  • Telegram Bots & Channels – Used to lure victims into scam sites and mini-apps.
  • Social Media & Messaging Apps – Victims unknowingly spread the scam by inviting friends for bonuses.

By using ads, fake profiles, and victim referrals, scammers rapidly expand their reach.

Target Interaction

Impersonated and Bogus Profiles

  • Fake social media accounts are created to promote, manage and provide fake customer service to the victims
  • We have also noticed scammers impersonating financial institutions, investment platforms and other industry organizations on Telegram to lure victims.

Impersonated or Bogus Websites embedded within Telegram Mini App

  • The scam operates within a Telegram Mini App, where victims are redirected to the fake investment website.
  • The Mini App will retrieve victim’s Telegram  details  and allow them  quick access on these fake websites without sign-up. 
  • Upon sign-up,  victims are requested to deposit funds and trade but withdrawals are blocked.

Motive

  • PII Harvesting – Scammers collects your email address, phone number, Telegram IDs during the sign up process. 

Monetization

  • Payments to Cryptocurrency Wallets – Victims are tricked into transferring funds via cryptocurrency (e.g., USDT, BNB, TRX) to scam-controlled wallets.
  • Selling Data on the Dark Web – The stolen credentials, Telegram IDs, emails, and phone numbers can likely be sold on underground forums or leveraged for future cyber criminal activities

Recommendations

For Individuals:

  • Avoid Telegram Mini Apps for Trading – Scammers use them to bypass security measures.
  • Verify Websites & Domains – Always check official sources before engaging in financial transactions.
  • Use 2FA on All Accounts – Protect Telegram and crypto wallets from unauthorized access.
  • Never transfer funds to an account without verifying the purpose and recipient independently.

For Businesses:

  • Scan social media, Telegram, and ad networks for scams related to your brand and report them accordingly. 
  • Work with platforms to remove and takedown fraudulent sites.
  • Educate and warn users on common fraud schemes.

Disclaimer

The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness. Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents, or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential, or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption…etc., arising out of or in connection with this advisory.

For more information:

Email: monitor@ctm360.com Tel: (+973) 77 360 360

Summary:

In December 2024, hackers compromised at least 35 Google Chrome extensions, affecting approximately 2.6 million users. The attack exploited phishing emails sent to developers, masquerading as Google policy violation notices. These emails tricked developers into granting permissions to a malicious OAuth application named

“Privacy Policy Extension.

” Once authorized, the attackers gained control over the extensions, injecting malicious code to steal user data, particularly targeting Facebook credentials and business accounts. Browser extensions can significantly enhance productivity by adding new features to web browsers like Microsoft Edge and Google Chrome. However, they also pose significant security risks, as malicious or compromised extensions can lead to data breaches, malware infections, and unauthorized access to corporate networks. It is crucial for organizations to control, block, or manage browser extensions to minimize security risks, particularly in an enterprise environment. This advisory outlines the steps to block and protect browser extensions for Microsoft Edge and Google Chrome, and it also includes specific guidance on managing extensions using Microsoft Intune.

Risks Associated With Browser Extensions

Data Exposure: Some extensions can access sensitive data (e.g., browsing history, credentials, and files), potentially exposing confidential information.

Malicious Extensions: Cybercriminals can create or compromise extensions, making them a vector for malware distribution or data exfiltration.

Phishing Risks: Extensions may manipulate web content, tricking users into providing sensitive information.

Performance Degradation: Some poorly coded extensions can slow down browsers or degrade system performance.

Managing Browser Extensions Using Group Policy

A. Microsoft Edge

Using Group Policy (Windows)

1. Open the Group Policy Management Console (GPMC).

2. Navigate to:  Computer Configuration > Administrative Templates > Microsoft Edge > Extensions

3. Set the following policies:

a. Control which extensions are installed silently: Specify allowed extensions by adding their extension IDs.

b. Configure extension management settings: T o block all extensions, set this policy to "*" (deny all).

c. Configure the list of force-installed extensions: If any extension is necessary for business, add the corresponding extension ID here.

B. Google Chrome

Using Group Policy (Windows)

1. Open the Group Policy Editor.

2. Navigate to: Computer Configuration > Administrative Templates > Google > Google Chrome > Extensions

3. Set the following policies:

a. Block external extensions: Set the policy to block all extensions unless specifically allowed by adding the extension IDs.

b. Configure extension install allow list: If certain extensions are necessary, add their extension IDs here.

c. Configure extension install blocklist: Add a wildcard"*" to block all extensions.

Managing Browser Extensions Using Microsoft Intune

Organizations using Microsoft Intune for endpoint management can apply policies to control browser extension installations across all managed devices. This approach is particularly useful for managing large numbers of endpoints efficiently.

Blocking Extensions in Microsoft Edge Using Intune

1. Sign in to Microsoft Endpoint Manager Admin Center.

2. Navigate to: Devices > Configuration profiles > Create profile

3. Choose:

a. Platform: Windows 10 and later.

b. Profile type: Settings catalog.

4. In the Configuration settings, search for Extensions under Microsoft Edge:

a. Allow specific extensions to be installed (User): Specify allowed extension IDs

b. Control which extensions cannot be installed (User): Add a wildcard"*" to block all extensions.

5. Assign this profile to your target groups (specific users or devices).

Blocking Extensions in Google Chrome Using Intune

1. Sign in to Microsoft Endpoint Manager Admin Center.

2. Navigate to: Devices > Configuration profiles > Create profile

3. Choose:

a. Platform: Windows 10 and later.

b. Profile type: Settings catalog.

4. In the Configuration settings, search for Extensions under Google Chrome\Extensions:

a. Configure extension installation allow list (User): Specify allowed extension IDs

b. Configure extension installation blocklist: Add a wildcard"*" to block all extensions.

5. Assign this profile to your target groups (specific users or devices).

Note: These steps are mentioned for user-based controls. Similar configuration steps can be applied for device-based controls.

Best Practices for Managing Browser Extensions

Audit Extensions Regularly: Regularly audit the extensions installed on users’ browsers to detect unauthorized or risky extensions.

User Training: Educate users about the risks associated with browser extensions and how to identify malicious ones.

Implement a Zero-Trust Model: Always assume that extensions can potentially be compromised. Apply the principle of least privilege when granting extension permissions.

Use Security Solutions: Consider deploying security solutions that can monitor and block malicious browser activities, including suspicious extension behavior.

Conclusion

Controlling browser extensions in Microsoft Edge and Google Chrome is a critical aspect of securing enterprise endpoints. By implementing the steps outlined above, organizations can significantly reduce the risks associated with browser extensions. Whether you manage your endpoints using Group Policy or Microsoft Intune, these controls can help protect your network from potential extension-related threats. By following this advisory, organizations can take proactive steps to mitigate browser extension risks, enhancing their overall cybersecurity posture.

Reference:

https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/

https://learn.microsoft.com/en-us/defender-endpoint/manage-profiles-approve-sys-extensions-intune

https://gbhackers.com/malicious-editthiscookie-extension/#google_vignette

Disclaimer

The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness. Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents, or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential, or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption…etc., arising out of or in connection with this advisory.

For more information:

Email: monitor@ctm360.com Tel: (+973) 77 360 360

SolarWinds - an American software vendor for managing networks and infrastructure has been breached. Orion, a network monitoring product was modified by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library. This allowed remote access into the victim’s environment and a foothold in their networks; this enabled attacker to obtain privileged credentials.

The SolarWinds Orion products are designed to monitor the networks of systems and report on any security issues. Due to this, there are no comparable limiting boundaries on the scope or potential security impact; this has been made clear by the gradual revelation of more and more high-value targets. Even more worrisome is the fact that the attackers apparently made use of their initial access to targeted organizations, such as FireEye and Microsoft, to compromise tools and code that would then enable them to target other victims. After Microsoft discovered that they were breached via the SolarWinds compromise, they further discovered that their own products were then used “to further the attacks on others.”

The attack was initially disclosed by the cybersecurity firm, FireEye, as early as December 8th but published publicly on 13th. It was revealed that the attack on SolarWinds was conducted by an unknown APT (Advanced Persistent Threat) group. They were able to steal Red Team assessment tools, similarly, used by FireEye to probe its customers’ security. FireEye has made its countermeasures freely available on GitHub.

According to Microsoft, hackers acquired superuser access to SAML token-signing certificates. This SAML certificate was then used to forge new tokens to allow hackers to obtain trusted and highly privileged access to networks.

While analyzing further on this attack, it was discovered that there was another backdoor likely from a second threat actor. This malware was dubbed as SUPERNOVA. This was a web shell planted in the code of the Orion network and applications monitoring platform and enabled attackers to run arbitrary code on machines running the trojanized version of the software.

pic1

Hackers inserted malicious code into an updated version of the software, called Orion. Approximately 18,000 SolarWinds customers installed tainted updates, between March and June 2020, onto their systems. The malware was inserted in these Orion app versions:

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

This disclosure was followed by a coordinated report issued by Microsoft, FireEye, SolarWinds, and the U.S. government. The report concluded that SolarWinds had been targeted by threat actors who aimed to gather undisclosed information from major customers of theirs, including FireEye.

Compromise: What is Known so Far

A key indicator of the attack was the conceived backdoor that was able to gain access to and breach the SolarWinds Orion build system. This backdoor was attached to the said system by rescripting the legitimate SolarWinds.Orion.Core.BusinessLayer.dll DLL file. This file was then distributed to SolarWinds’ clients in a supply chain attack. This was achieved due to an automatic update platform used to dispense new software updates; clients were unaware of this taking place.

According to reports, the threat actors may have performed trial runs of the distribution method as early as October 2019. Researchers believe that the attackers had already compromised networks previously; it is suggested that they had harvested information or performed other malicious activities silently for months. Due to this, FireEye eventually detected that they were hacked after the threat actors registered a device to the company’s multi-factor authentication (MFA) system using stolen credentials. The alert from the system, regarding an unknown device, was able to notify FireEye of the compromise.

Recommendations

Urgently update any exploited SolarWinds Orion software to Orion Platform version 2020.2.1 HF 2 and Orion Platform 2019.4 HF 6

Third party vendors who may be susceptible to exposure of this compromise should report as part of responsible disclosure and urgently remediate.

In case of possible exposure devise an incident response plan.

Prioritize the TTPs leveraged by the threat actor mapped to mitre att&ck. This is available in Adversary Intelligence within CTM360’s CyberBlindspot.