Advanced Phishing Kit ‘Sneaky 2FA’ Employs Browser-in-the-Browser Tactics to Mimic Legitimate Login Prompts
Cybersecurity researchers have identified a significant advancement in phishing techniques with the emergence of the ‘Sneaky 2FA’ phishing kit. This Phishing-as-a-Service (PhaaS) offering has integrated Browser-in-the-Browser (BitB) functionality, enabling attackers to create deceptive pop-up windows that closely resemble legitimate browser address bars. This development marks a concerning evolution in phishing strategies, making it increasingly challenging for users to discern authentic login prompts from malicious ones.
The BitB technique was first detailed by security researcher mr.d0x in March 2022. It involves using HTML and CSS to craft fake browser windows that can convincingly mimic login pages of trusted services. By embedding an iframe pointing to a malicious server within these simulated windows, attackers can effectively mask suspicious URLs, presenting them as legitimate authentication pop-ups.
Push Security, in a recent report, highlighted the application of this technique in phishing campaigns targeting Microsoft account credentials. In observed instances, victims were directed to a dubious URL, such as previewdoc[.]us, where they encountered a Cloudflare Turnstile verification—a bot protection measure. Upon passing this check, users were presented with a prompt to Sign in with Microsoft to access a PDF document. Clicking this button triggered a BitB-generated pop-up window displaying a counterfeit Microsoft login form. Unaware of the deception, users entered their credentials, which were then exfiltrated to the attackers, granting them unauthorized access to the victims’ accounts.
To enhance the credibility of their phishing pages and evade detection, attackers have employed several sophisticated tactics:
– Bot Protection Mechanisms: Utilizing tools like CAPTCHA and Cloudflare Turnstile, attackers prevent automated security systems from analyzing and flagging their phishing sites.
– Conditional Content Delivery: Phishing content is selectively displayed to intended targets, while others are redirected to benign sites. This approach minimizes the risk of detection by security researchers and automated tools.
– Obfuscation Techniques: The phishing kit employs code obfuscation and disables browser developer tools, hindering efforts to inspect and analyze the malicious web pages.
– Rapid Domain Rotation: Phishing domains are frequently changed to reduce the likelihood of being blacklisted or detected by security solutions.
The ‘Sneaky 2FA’ kit, first brought to light by cybersecurity firm Sekoia earlier this year, exemplifies the ongoing professionalization and sophistication within the PhaaS ecosystem. As identity-based attacks remain a leading cause of security breaches, attackers are continually refining their methods to bypass even the most robust security measures.
In a related development, researchers have uncovered a method dubbed the Passkey Pwned Attack, which exploits vulnerabilities in the WebAuthn authentication process. By deploying a malicious browser extension, attackers can intercept and manipulate the communication between a device and a service during passkey registration and login. This manipulation allows them to generate attacker-controlled key pairs, effectively hijacking the authentication process without the user’s device or biometric data.
Furthermore, adversaries have devised strategies to circumvent phishing-resistant authentication methods like passkeys through downgrade attacks. In these scenarios, adversary-in-the-middle (AitM) phishing kits, such as ‘Tycoon,’ prompt victims to select less secure, phishable authentication options instead of utilizing passkeys. This tactic exploits the presence of weaker backup methods, rendering accounts vulnerable despite the availability of more secure login options.
As phishing techniques become increasingly sophisticated, it is imperative for users to exercise heightened vigilance. Before entering credentials or installing browser extensions, individuals should verify the authenticity of the source and be cautious of unsolicited prompts. Organizations are encouraged to implement conditional access policies, restricting logins that do not meet specific security criteria, thereby mitigating the risk of account takeovers.
