Cyber Threats #phishing#BitB#OAuth

Browser-in-the-Browser Phishing: Fake SSO Popups

BitB phishing fakes OAuth login popups pixel-perfectly in HTML. Learn how to detect fake browser windows and protect your accounts from SSO phishing.

7 min read

When you click “Sign in with Google” on a website, a small popup window appears showing accounts.google.com in the address bar. You trust it because you can see the URL. Browser-in-the-Browser (BitB) phishing attacks fake that entire popup — the window frame, the address bar, the padlock icon, the URL — using nothing but HTML, CSS, and JavaScript, all rendered inside the existing browser tab.

The attack was first publicly documented by security researcher mrd0x in March 2022, who released ready-to-use templates for Chrome on Windows, macOS, and Linux. Those templates are still in active use, downloaded and adapted by phishing operators worldwide.

How BitB Works

The Illusion

A traditional phishing page has a fundamental problem: the browser’s address bar shows the wrong URL. Users who check the URL before entering credentials will notice they are on g00gle.com instead of google.com. BitB sidesteps this entirely by rendering a fake browser window as a webpage element.

The attacker creates a <div> styled to look exactly like a browser popup window, complete with:

  • A simulated title bar with the correct browser chrome styling
  • A fake address bar showing https://accounts.google.com (or any target)
  • A green padlock icon rendered as an SVG or image
  • The actual phishing login form inside the “window”

When the victim clicks “Sign in with Google” on the attacker’s site, this div appears over the main page, looking exactly like a legitimate OS-level popup window. The victim enters their Google credentials directly into the phishing form.

Implementation

The HTML structure is straightforward:

<div class="browser-window" style="position:fixed; top:20%; left:30%; width:500px; z-index:9999;">
  <div class="title-bar">
    <!-- Fake browser chrome with close/minimize/maximize buttons -->
  </div>
  <div class="address-bar">
    <span class="padlock">🔒</span>
    <span>https://accounts.google.com/signin/v2/...</span>
  </div>
  <iframe src="/phishing-form.html" style="border:none; width:100%; height:400px;"></iframe>
</div>

The styling uses OS-specific CSS to mimic Chrome on Windows versus Safari on macOS. In 2022–2024, BitB templates for each major browser/OS combination were freely available on GitHub and underground forums. The investment required from an attacker is minimal — acquiring a plausible domain and hosting the HTML.

Real-World OAuth Phishing Examples

Steam/Gaming Platform Campaigns (2022–2024)

The first widespread BitB campaigns targeted gamers. Victims received Steam trade offers or Discord messages with links to “trading sites” that required Steam login. The BitB popup showed a convincing steamcommunity.com URL. Group-IB reported that a single campaign compromised over 2,000 Steam accounts in a two-month window in 2022.

Corporate Microsoft 365 BitB (2023)

Threat actors targeting enterprise environments adapted BitB for Microsoft OAuth flows. Phishing emails claimed to share a SharePoint document, directing users to a site that displayed a BitB login.microsoftonline.com popup. Because corporate users frequently see legitimate Microsoft SSO prompts, the imitation was highly convincing. The credentials captured were used immediately for BEC and data exfiltration.

Crypto Platform Attacks (2024–2025)

BitB became a standard tool in cryptocurrency theft campaigns, targeting users of decentralized exchanges and NFT platforms. A fake “Connect Wallet” flow using a BitB Google OAuth prompt was used to harvest credentials later used in account takeover attacks on linked email accounts, then to reset exchange passwords.

How to Detect a Fake Browser Window

Several behavioral and visual cues expose BitB popups:

The Drag Test

A real browser popup window can be dragged outside the boundaries of the main browser window — onto the taskbar, onto another monitor, or off-screen. A BitB div rendered inside a browser tab cannot leave the tab’s viewport. Try dragging the popup toward the edge of the screen. If it stops at the browser edge, it is fake.

The URL Bar Interaction Test

In a real browser popup, you can click the address bar and edit the URL, triggering browser navigation. In a BitB popup, clicking the fake address bar does nothing, or triggers a JavaScript event that might close the div. Try clicking in the address bar and pressing backspace — a real browser will select the URL; a fake one will not respond like a browser address bar.

Visual Inconsistencies

  • The window decorations (close/minimize/maximize buttons) may not respond to hover states exactly as native OS controls do
  • Font rendering inside the fake window may differ slightly from native browser chrome
  • The popup may not appear in your taskbar or window switcher (Alt+Tab / Cmd+Tab)
  • On high-DPI displays, the fake window may look slightly blurry compared to native OS elements

URL Verification

Despite the fake address bar, your actual browser’s real address bar shows the phishing domain. Always check your browser’s real address bar — the one at the very top of the browser window, not any bar rendered inside the page content area. No legitimate SSO flow requires you to log in while a fake window covers a third-party site.

Defense Strategies

For individuals:

  1. Always check the real browser address bar — the one at the top of the browser, not anything in the page. Any “login popup” that appears while you are on an unfamiliar domain should be treated with suspicion.
  2. Use a password manager. This is a critical defense: your password manager (Bitwarden, 1Password, LastPass) will only autofill credentials on the exact domain it saved them for. A BitB popup on evil-trading-site.com will not trigger an autofill for accounts.google.com, because the real page origin is the phishing domain. If your password manager does not offer to autofill, you are not on the real site.
  3. Use hardware security keys (FIDO2/WebAuthn) for MFA. Even if BitB captures your password, a hardware key like a YubiKey performs origin checking — it will not authenticate against a phishing domain even if the visible URL looks correct.
  4. Be skeptical of SSO prompts on third-party sites. Legitimate OAuth flows should open a new tab or window that you can interact with normally, not a suspiciously styled popup.

For developers and security teams:

  • Train users specifically on BitB — the drag test is simple and memorable
  • Implement phishing-resistant MFA (FIDO2/passkeys) for all corporate SSO flows
  • Monitor for newly registered domains that mimic your brand and send phishing reports to domain registrars
  • Use browser extensions like Netcraft Anti-Phishing or Microsoft Defender Browser Protection which maintain updated phishing domain blocklists

BitB is a social engineering attack, not a technical exploit. The defense is correspondingly behavioral: trust your password manager’s autofill behavior, use phishing-resistant MFA, and always verify the domain in the real browser address bar. The fake window is visually convincing — but it cannot fully replicate the behavior of a real one.

#browser security #SSO #OAuth #BitB #phishing

// related articles

cyber-threats Malvertising: How Malicious Ads Deliver Malware 7 min read cyber-threats Cryptojacking Explained: How It Works and How to Stop It 7 min read cyber-threats Typosquatting Attacks: How Hackers Exploit Misspellings 7 min read