Novel Phishing Technique Browser-in-the-Browser Attack Targets Government Websites

CloudSEK’s contextual AI digital risk platform XVigil discovered an unprecedented, sophisticated phishing technique, commonly known as Browser-in-the-Browser (BitB) attack, that has been targeting government websites across the world, including India.
Updated on
April 19, 2023
Published on
June 3, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Government Threat Type: BitB - Phishing Country: India Source*: A2

Executive Summary

THREAT IMPACT MITIGATION
  • Novel, advanced Browser-in-the-Browser phishing attack tactics are used to target Government websites across the globe.
  • BitB attacks replicate browser windows to steal user credentials, PII and other sensitive records.
  • The attack usually stimulates Single Sign-On windows and displays fake websites that cannot be distinguished from the original page.
  • Combine SSO with MFA for secure login across accounts.
  • Check for suspicious logins and account takeovers.
  • Avoid clicking on email links from unknown sources.
CloudSEK’s contextual AI digital risk platform XVigil discovered an unprecedented, sophisticated phishing technique, commonly known as Browser-in-the-Browser attack (BitB), that has been targeting government websites across the world, including India. [caption id="attachment_19441" align="alignnone" width="2048"]Fake website of the Indian Government Fake website of the Indian Government[/caption]  

Analysis and Attribution

  • BitB attack is the latest and most advanced phishing technique used by attackers to simulate browser windows, most commonly SSO pages, with a unique login.
  • BitB attacks replicate legitimate domains to steal the credentials of users along with other sensitive records including PII.
  • Notably, threat actors are leveraging this sophisticated phishing technique to target Government websites from across the globe, including India.

Information from the Post

  • The BitB attack is initiated once users click on a malicious link that usually appears to them as an SSO login pop-up window, when they attempt to login to a website.
  • When users click on the link provided, they are requested to use their SSO credentials to log in to the website. The victims are then directed to a fake website that is an exact replica of the actual SSO page.
  • Threat actors have been targeting the Indian government portal https://india.gov.in, and using a phony link (http[:]//weserv38573w7[.]xyz/?c=100) to deceive users into providing confidential information such as card details including the name on the card, card number, expiry month, and CVV.
[caption id="attachment_19442" align="alignnone" width="909"]The legitimate Indian Government page The legitimate Indian Government page[/caption]   [caption id="attachment_19443" align="alignnone" width="2048"]The Browser-in-the-Browser Attack fake Indian Government page The Browser-in-the-Browser Attack fake Indian Government page[/caption]    
  • The new URL that pops-up as a result of the BitB attack, https://india.gov.in/topics/home-affairs-enforcement/police, appears legitimate. The actors have also cloned the user-interface of the original page.
  • Once their victims login to this phishing page, a pop-up that masquerades as a notification from the Home Affairs Enforcement and Police, is displayed on the fake window stating that their systems have been blocked. They are alerted of their excessive consumption of pornographic sites prohibited by the law, and are asked to pay a sum of INR 30000 as fine, to unlock their systems.
  • They are provided with a form to pay the fine, that requires them to share sensitive details including their card details. Since the notification has a sense of urgency and also appears to be time-bound, it causes the victims to panic. The details that the victims submit via the form are eventually sent to the attacker’s server.
  • Once the card details are stolen by the attackers’, the details could be sold to other buyers in the bigger chain of cyber fraudsters or the victim could be further extorted for more money.

Impact & Mitigation for Browser-in-the-Browser Attack

Impact Mitigation
  • BitB attack replicates browser windows to steal user credentials, PII and other sensitive records.
  • The attack usually stimulates Single Sign-On windows and displays fake websites that cannot be distinguished from the original page.
  • Cybercriminals use the compromised data to commit identity theft and financial fraud.
  • Such attacks also lead to monetary loss.
  • Combine SSO with MFA for secure login across accounts.
  • Check for suspicious logins and account takeovers.
  • Avoid clicking on email links from unknown sources.
  • Keep computers up-to-date with security measures.
  • Identifying and having such phishing websites suspended is the quickest way to mitigate the threat of the scams. However, this won’t solve the problem of new phishing websites being registered on a daily basis
  • Report the phishing campaign to the Cyber Crime Cell in your region and provide them with the details identified to bust such groups running these campaigns.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams. This will lead to fewer people falling prey to such scams.

References

Appendix

[caption id="attachment_19444" align="alignnone" width="2048"]Phishing Cycle Phishing Cycle[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations