Novel Phishing Technique Browser-in-the-Browser Attack Targets Government Websites

Cybersecurity
#1

Originally published at: Novel Phishing Technique Browser-in-the-Browser Attack Targets Government Websites - CloudSEK

 

Category:

Adversary Intelligence

 Industry:

Government

 Threat Type:

BitB – Phishing

 Country:

India

 Source*:

A2

Executive Summary

THREAT IMPACT MITIGATION
  • Novel, advanced Browser-in-the-Browser phishing attack tactics are used to target Government websites across the globe.
  • BitB attacks replicate browser windows to steal user credentials, PII and other sensitive records.
  • The attack usually stimulates Single Sign-On windows and displays fake websites that cannot be distinguished from the original page.
  • Combine SSO with MFA for secure login across accounts.
  • Check for suspicious logins and account takeovers.
  • Avoid clicking on email links from unknown sources.

CloudSEK’s contextual AI digital risk platform XVigil discovered an unprecedented, sophisticated phishing technique, commonly known as Browser-in-the-Browser attack (BitB), that has been targeting government websites across the world, including India.

Fake website of the Indian Government
Fake website of the Indian Government2048×1290 369 KB
Fake website of the Indian Government

 

Analysis and Attribution

  • BitB attack is the latest and most advanced phishing technique used by attackers to simulate browser windows, most commonly SSO pages, with a unique login.
  • BitB attacks replicate legitimate domains to steal the credentials of users along with other sensitive records including PII.
  • Notably, threat actors are leveraging this sophisticated phishing technique to target Government websites from across the globe, including India.

Information from the Post

  • The BitB attack is initiated once users click on a malicious link that usually appears to them as an SSO login pop-up window, when they attempt to login to a website.
  • When users click on the link provided, they are requested to use their SSO credentials to log in to the website. The victims are then directed to a fake website that is an exact replica of the actual SSO page.
  • Threat actors have been targeting the Indian government portal https://india.gov.in, and using a phony link (http//weserv38573w7[.]xyz/?c=100) to deceive users into providing confidential information such as card details including the name on the card, card number, expiry month, and CVV.
The legitimate Indian Government page
The legitimate Indian Government page909×458 368 KB
The legitimate Indian Government page

 

The Browser-in-the-Browser Attack fake Indian Government page
The Browser-in-the-Browser Attack fake Indian Government page2048×973 321 KB
The Browser-in-the-Browser Attack fake Indian Government page

 

 

  • The new URL that pops-up as a result of the BitB attack, https://india.gov.in/topics/home-affairs-enforcement/police, appears legitimate. The actors have also cloned the user-interface of the original page.
  • Once their victims login to this phishing page, a pop-up that masquerades as a notification from the Home Affairs Enforcement and Police, is displayed on the fake window stating that their systems have been blocked. They are alerted of their excessive consumption of pornographic sites prohibited by the law, and are asked to pay a sum of INR 30000 as fine, to unlock their systems.
  • They are provided with a form to pay the fine, that requires them to share sensitive details including their card details. Since the notification has a sense of urgency and also appears to be time-bound, it causes the victims to panic. The details that the victims submit via the form are eventually sent to the attacker’s server.
  • Once the card details are stolen by the attackers’, the details could be sold to other buyers in the bigger chain of cyber fraudsters or the victim could be further extorted for more money.

Impact & Mitigation for Browser-in-the-Browser Attack

Impact Mitigation
  • BitB attack replicates browser windows to steal user credentials, PII and other sensitive records.
  • The attack usually stimulates Single Sign-On windows and displays fake websites that cannot be distinguished from the original page.
  • Cybercriminals use the compromised data to commit identity theft and financial fraud.
  • Such attacks also lead to monetary loss.
  • Combine SSO with MFA for secure login across accounts.
  • Check for suspicious logins and account takeovers.
  • Avoid clicking on email links from unknown sources.
  • Keep computers up-to-date with security measures.
  • Identifying and having such phishing websites suspended is the quickest way to mitigate the threat of the scams. However, this won’t solve the problem of new phishing websites being registered on a daily basis
  • Report the phishing campaign to the Cyber Crime Cell in your region and provide them with the details identified to bust such groups running these campaigns.
  • Run aggressive awareness campaigns to educate users/ customers about ongoing scams. This will lead to fewer people falling prey to such scams.

References

Appendix

Phishing Cycle
Phishing Cycle2048×1068 140 KB
Phishing Cycle