Even two-factor authentication isn’t foolproof as hackers exploit new browser-in-the-browser attack
Cybercriminals are bypassing two-factor authentication through a new ‘Browser-in-the-Browser’ phishing attack that uses fake pop-up windows to steal login credentials and OTPs, prompting experts to urge users to verify the authenticity of authentication prompts
Hyderabad: Many internet users believe their accounts are safe once two-factor authentication (2FA) is enabled. While 2FA does add an extra layer of protection, cybercriminals have now found ways to exploit even this security measure.
The latest tactic in the cybercrime playbook is the ‘Browser-in-the-Browser’ (BitB) attack, which uses a sophisticated 2FA phishing kit that is reportedly freely available on the dark web.
Two-factor authentication works by requiring users to verify their identity using two different credentials. After entering a username and password, users are prompted to provide a second form of authentication, such as a one-time password (OTP) sent to a mobile phone or email, biometric verification, or a code generated by an authenticator app.
Typically, this second step appears as a pop-up window on a computer or mobile screen. However, in a BitB attack, hackers replace this legitimate pop-up with a fake browser window embedded within the webpage itself.
The fraudulent window closely mimics a real browser pop-up, complete with familiar symbols, branding and even a convincing URL display. Because it is not an actual system window but part of the webpage, users often fail to detect the deception.
Once the user enters the required authentication details, the information is instantly captured by cybercriminals, allowing them to access the account and potentially carry out financial fraud or data theft.
Cybersecurity experts advise users to verify whether a pop-up window is genuine by attempting to drag it outside the browser. If the window cannot be moved independently, it is likely a fake interface embedded within the webpage.
Recognising such visual cues can help users avoid falling victim to this emerging form of online fraud.
