|Category: Adversary Intelligence||Industry: Government||Threat Type: BitB - Phishing||Country: India||Source*: A2|
- BitB attack is the latest and most advanced phishing technique used by attackers to simulate browser windows, most commonly SSO pages, with a unique login.
- BitB attacks replicate legitimate domains to steal the credentials of users along with other sensitive records including PII.
- Notably, threat actors are leveraging this sophisticated phishing technique to target Government websites from across the globe, including India.
- The BitB attack is initiated once users click on a malicious link that usually appears to them as an SSO login pop-up window, when they attempt to login to a website.
- When users click on the link provided, they are requested to use their SSO credentials to log in to the website. The victims are then directed to a fake website that is an exact replica of the actual SSO page.
- Threat actors have been targeting the Indian government portal https://india.gov.in, and using a phony link (http//weserv38573w7[.]xyz/?c=100) to deceive users into providing confidential information such as card details including the name on the card, card number, expiry month, and CVV.
- The new URL that pops-up as a result of the BitB attack, https://india.gov.in/topics/home-affairs-enforcement/police, appears legitimate. The actors have also cloned the user-interface of the original page.
- Once their victims login to this phishing page, a pop-up that masquerades as a notification from the Home Affairs Enforcement and Police, is displayed on the fake window stating that their systems have been blocked. They are alerted of their excessive consumption of pornographic sites prohibited by the law, and are asked to pay a sum of INR 30000 as fine, to unlock their systems.
- They are provided with a form to pay the fine, that requires them to share sensitive details including their card details. Since the notification has a sense of urgency and also appears to be time-bound, it causes the victims to panic. The details that the victims submit via the form are eventually sent to the attacker’s server.
- Once the card details are stolen by the attackers’, the details could be sold to other buyers in the bigger chain of cyber fraudsters or the victim could be further extorted for more money.
- Browser-in-the-Browser Attack Makes Phishing Nearly Invisible | Threatpost
- “Browser in the Browser” attacks: A devastating new phishing technique arises | TechRepublic