I saw it on Twitter but I just wanted a clear demo and this is it, brilliant technique

This is scary real, and it can be modified so much that the average person, maybe even some people like us wouldn’t even know the difference. The scariest one I have come across is a redirect that takes you to your already signed in page, hijacks the cookie session with Microsoft oauth and sends it back to the CNC

@beamboyz4901

2 жыл бұрын

People have been making crypto scam pages and using the turtwalet pop up to steal your info its crazy cheat to buy the pages not just one all of the top 100 company in crypto pack is being sold for 200 USD en

@mohamedsantuur9794

Жыл бұрын

Ab

very cool, normally the url tells the target that the page is fake but this can work better

Hi there.This is pretty cool phish.Almost anyone would be fooled and phished by this.I would like to see more stuff like this and gophish.

Brilliant technique, thanks for doing the video demonstrating it in action. Great work.

@InfiniteLogins

2 жыл бұрын

I appreciate you 🙏

I would love to see a video on setting up a phishing website. That would be awesome.

Amazing! Great technique! Thanks for sharing via a video!

@InfiniteLogins

2 жыл бұрын

I appreciate you 🙏

Great video and informative ! Thanks 👍

@InfiniteLogins

2 жыл бұрын

Thank you!

This is why I always go to the direct company website, never opening email links or messages from anywhere else.

😳 This is worrisome!!

Thanks for the share

So if I understand correctly, the way to detect this is to check if you can drag the OAuth window outside of the parent window. If you can't, it's a fake window. Correct?

@jesjames

2 жыл бұрын

Correct. It's a simple DIV container that looks like a new browser window. So, as you correctly understood, you can't drag this login popup on a second monitor.

@InfiniteLogins

2 жыл бұрын

That's a pretty quick check that it simple enough to train!

@billspaced

2 жыл бұрын

@@InfiniteLogins How about don't ever log into a site like "canva" using credentials from another (way more important) site?

@mariad6519

5 ай бұрын

@@jesjames Well, most of us don't have a second monitor... How do we recognize it? That wasn't actually addressed in the entire video, either... In fact, I've already wasted my time watching a few videos on this topic and they're all useless.

@jesjames

5 ай бұрын

@@mariad6519 I said second monitor to explain the test you could do. On a single monitor you just have to reduce the main browser window and you shouldn't be able to drag it out of that

I experienced this over a year ago from a phishing site pretending to be Steam with fake popup logins, I found it pretty amusing as someone must have put into a lot of effort to mimic the frontend.

I think I'm witnessing a phishing revolution here. I am an ICT student and as a part-time job I help the elderly with their computers. I think I should start warning them about this technique... We're going to see this a lot in the future, because I don't see a very simple way how to patch this.

@Ken.-

2 жыл бұрын

Euthanasia

@j.harbers

2 жыл бұрын

@@Ken.- the elderly or me 😂

I can't believe no one has thought of this before!

@InfiniteLogins

2 жыл бұрын

I'm sure others have. This is the first I've seen though

While reading the article on arstech i actually had to think a moment whats the vector of attack here, i mean this is so simple and seamless and yet very effective

@InfiniteLogins

2 жыл бұрын

Super simple. That's what makes this so cool! But scary..

Hey.. Thx alot for the great content. Just stumbled across your channel and subbed 🙂 Like the sound of your keyboard. What keyboard is it, and what keys is on it. Thx again for the content.

@InfiniteLogins

2 жыл бұрын

It's just a basic clicky keyboard. I think brand is "bloody"

3:33 that was exactly the purpose of my click, ngl using it for evil is another thing, but I wanted to know how to do it...

All you have to do is advise users to try pulling a "pop-up" out of the browser ...

@InfiniteLogins

2 жыл бұрын

Good advice!

It shows a blank page if used on mobile phone, only displays on PC

Imagine This With Autofill 🤯

The only solution is just to copy each time the link of the popup and paste it and open it in the browser to see if it is valid or not, stay safe.

Hi Team could you please share the report for this Browser in the Browser (BITB) Phishing Technique

I think if the Page will accept any value in this case we know if its fake or not

@InfiniteLogins

2 жыл бұрын

Good point. Some phishing sites I've seen will actually always say "incorrect password" in hopes to get you to try entering other passwords you use.

One way to be safe is to always provide wrong password in first try - if wrong password is verified successfully, it means it's not a genuine website. And why not make a habit to always enter wrong user name and password on first try.

@cybersec0x004

2 жыл бұрын

Yep, that's a good point but for this particular reason, I came up with an idea of using python on the backend to verify the credentials when victim submits the form. This even bypasses 2FA because you can just prompt the user to verify this login hoping he doesn't check the location of login attempt. This way submiting wrong credentials wouldn't work. I think password managers with autofill could help alot.

@InfiniteLogins

2 жыл бұрын

Users may still copy/paste their password in if they think the password management extension doesn't work on the pop-up window.. but I like the way you think!

@cybersec0x004

2 жыл бұрын

​@@InfiniteLogins Yep, the password manager should in that case tell them, that the URL is different and that it may be dangerous to fill in the data. I already have part of that idea implemented. I used javascript to send credentials to python flask API. Python then inputs the data to facebook login page using selenium and sends the result back to victims browser. It works, but it takes like 3 seconds each time you pass in the data because of the whole selenium login process.

@getadvicefromsara3164

2 жыл бұрын

@@cybersec0x004 hello bro which python script you use in backend ..?

@cybersec0x004

2 жыл бұрын

@@getadvicefromsara3164 I wrote my own.

Scary. Does this attack trick password managers like LastPass as well?

@Skyler827

2 жыл бұрын

It won't fool the automatic form-filling functionality because those are tied to the actual page URL, but it will fool users who aren't using the autofill forms.

@InfiniteLogins

2 жыл бұрын

Exactly!

Anything the browser creators (Mozilla, MS, Apple) can do to detect this, and disable it or warn the user?

@InfiniteLogins

2 жыл бұрын

I don't think so.. It's common for sites to use s for legitimate purposes, so it would be a hard thing to expect the browser to be able to tell the difference.

The issue for most users will be they will not be familiar with the tools needed to identify this type of attack. This is going to wreak havoc on a lot of people. Unless this can be patched out or existence with some sort of link validation or check, this is going to change the game for bad actors.

@InfiniteLogins

2 жыл бұрын

User awareness needs to evolve as hackers do.

Could you do a video to show what we could look for in developer mode to detect this? Also could you explain Kellen Green's comments: If the IDP added "Header set X-Frame-Options DENY", I believe this could be prevented.

@mitchy1990s

2 жыл бұрын

could you not just make sure the parent browser window is not fullscreen, then attempt to drag the login pop-up outside of the boundaries of the parent window. a normal authentic window would be on top and free to move to any bounds. a fake phishing pop-up is contained and locked inside the boundaries of the parent browser. no?

@sapito169

2 жыл бұрын

It is css heder wont fire and wont work

@InfiniteLogins

2 жыл бұрын

The X-FRAME-OPTIONS header being set can prevent a site from being called via s, but that header would need to be set on the phishing site that the attacker already controls.. and they hacker wouldn't set that lol. For example, trying to google.com doesn't work, because they have that header set. But I could spin up my own phishing site for Google without the header, and then display it within an .

@MondayAbigail-zo8sz

Жыл бұрын

Can you teach me how to build a phishing page

Seen this in the wild a handful of times. The obvious solution for me is to stop google and such sites prompt to log in, in a popup browser and instead handle it on their main page where you connect applications instead. I think this will be solved as well by the 'passwordless' system microsoft and the likes were working on.

hi ! so this BITB site login page link if we want to get some cred information, the way to exploit it is require to send the link to victims through email or any medias ? not popped up on the real website. isnt it ?

@arffdhlullah4869

2 жыл бұрын

and if it can be popped up on the real website, how we can identify this type attack ? whats the difference from real login page popped up ?

@InfiniteLogins

2 жыл бұрын

Yup, the victim would have to be tricked first into going to a fake site. The URL of the fake site would be the victims red flag to notice something is wrong.

Waooo, impressive. But how anybody can prove if the login page is original with this new way of pishing? 🤔

@techademy9354

2 жыл бұрын

In a real page, the new page is an actual window that can be dragged even outside the current browser window. The fake one is just an Iframe, u cant drag it outside

Hi ! how to send index.html file in email link after editing ?

@InfiniteLogins

2 жыл бұрын

🤷‍♂️

It's not working for 2fa

If the IDP added "Header set X-Frame-Options DENY", I believe this could be prevented.

@billyjbryant

2 жыл бұрын

He isn't loading the IDP's real page. This is a phishing page, made to look like the real thing down to impersonating the browser address bar. The IDP would not be able to protect you from this.

@kgreen

2 жыл бұрын

@@billyjbryant Ooh gotcha we're not even hitting the real IDP.

@InfiniteLogins

2 жыл бұрын

The X-FRAME-OPTIONS header being set can prevent a site from being called via s, but that header would need to be set on the phishing site that the attacker already controls.. and they hacker wouldn't set that lol. For example, trying to google.com doesn't work, because they have that header set. But I could spin up my own phishing site for Google without the header, and then display it within an .

I see the comments about dragging around the other screen to see if it's fake or not but what happens if you did this on a mobile phone

@kwalm7536

2 жыл бұрын

It wouldn't make as much sense on mobile because the windows are skinned for macOS or Windows

@bm5522

2 жыл бұрын

I mean I guess that makes some sense but still can't help but wonder if I went to one of the websites If it would still function the same

@InfiniteLogins

2 жыл бұрын

Mobile is a good question. The genius behind this is that anybody can make additional templates, have the site check user agent values, and then display the appropriate template back. I bet a mobile friendly one could be created

Similar to beef-xss petty theft no?

So scary this method....it works only on PC, right? On mobile phones we are safe?

This isnt anything new, i've seen method like this long time ago with steam scammers where they link you to a site with "login with steam" option

@InfiniteLogins

2 жыл бұрын

Nice! It was new to me so I figured I'd share.

Time to teach people to click the lock icon to check if it's legit... but yeah that's a nastly little trick.

@Kyuubi840

2 жыл бұрын

And even then, the page can fake the little floating window that Chrome and Firefox open when you do that, and they can fake the info inside it. They can't fake the popup once you click to view the certificate details though, I guess

@InfiniteLogins

2 жыл бұрын

That's a good idea!

This will still show your url that point to the bitb template so this is a dumb phishing

Lol Now we Will teach user to use inpect opción 🤣🤣🤣

@InfiniteLogins

2 жыл бұрын

😂

Doesn't seem like much of a useful attack. If you didn't notice that you are on a phishing site to begin with, then making anything look real after that won't matter since the only people falling for this already aren't looking at the URL anyway. It's like worrying about deep fakes. You don't need a sophisticated attack for unsophisticated people.

@ErikRoberts1981

2 жыл бұрын

Don't forget, a lot of mail filtering services obfuscate the email addresses. So on a well constructed email that can pass the filter it can still fool those wanting to check the URL.

@Ken.-

2 жыл бұрын

@@ErikRoberts1981 But you still have to go there before you can see the second "real" looking one.

@ErikRoberts1981

2 жыл бұрын

@@Ken.- Sure, but for it to work you want to send them to a legit site (that you own) offering some kind of service that they want. Because you own the domain and if you get the SSL cert for it, it looks legit. It's the part where you ask them to log on or create an account that this window pops up.

@InfiniteLogins

2 жыл бұрын

Erik has some solid points here.

Can you please make a video on how to setup a phishing page

@sleekbr7666

2 жыл бұрын

Your name suggests you're not upto something good.

@sleekbr7666

2 жыл бұрын

@Vintage B He's a crazy noob.

@getadvicefromsara3164

2 жыл бұрын

@@sleekbr7666 me too would you help out plzzzzz

How To: Evilginx + BITB | Browser In The Browser without s in 2024 kzread.info/dash/bejne/nql-zNqpddq8eKw.html Just released this new version that makes this work with Evilginx to bypass MFA. This version does not use any s, meaning it completely bypasses framebusters 🤞 (Not trying to self promote under this video, but saw a lot of traffic coming from it to my video and thought I’d leave this comment that might be helpful)

🍀 𝐩𝓻Ỗ𝓂Ø𝓈Ｍ