April 22, 2022

Browser-in-the-Browser: A New Wave of Picture-in-Picture Phishing Attacks?

By Jscrambler | 5 min read

Phishing attacks are a form of social engineering attacks and are responsible for more than 80% of the reported security incidents.

In this blog post, we are going to talk about the browser in the browser (BitB) attack and the different approaches used in this deception technique, which is typically leveraged to gather credentials.

What is BitB?

The main goal of a Browser in Browser attack is to lure the user, when accessing a cloned website, with a “fake window”, taking advantage of the growing usage of single sign-on systems that allow users to login within different websites with a single account.

This “fake window” is going to be created inside the website viewport and it will replicate, to a very accurate degree, all the components of the real popup window. Some key aspects of this method are the URL that can show any URL, the Certificate Lock, and the draggable effect. In the image below we can see an example of a cloned website using this technique, the highlighted sections show how visually accurate this window can be.

This approach is not new, we can actually trace it back to some attacks in the past two decades.

In 2019, a fake Steam skins giveaway site was used to steal credentials from CounterStrike players, but this was not a singular event. Facebook was also targeted in phishing campaigns using this technique and if we go even further back to 2007, we can find remarks about a “picture-in-picture attack” referred in a Microsoft publication, where they claim that “picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack”.

Other approaches to this deception technique

While the BitB technique is being used in the wild in fake cloned websites, there are several other scenarios where a similar technique could be applied. For example, in the case of a supply chain attack.

Browser extensions

There is no doubt browser extensions provide a great way of customizing your web browser or even enhancing the functionality of a website. Nowadays the common user will most likely have an ad-blocker, a password manager, or a cryptocurrency wallet extension installed in the browser. As useful as they can be, some of them may also pose a security risk.

Suppose a malicious script draws one of these extension windows in a webpage, in a similar fashion as the BitB attack we described before. An unaware user may look at this window and mistake it for the legitimate one, inserting his credentials or keys and naively sending them to the attacker.

Browser notifications

Even though this type of notification does not typically ask the user to type any information inside the notification window itself, a fake notification could impel the user to click on it.

Clicking on something different from what the user perceives, also known as “Clickjacking”, is one of the potentially dangerous attacks that can be used to reveal confidential information or trigger unintended behavior by the website or browser. Sometimes clicking on seemingly innocuous objects may allow an attacker to take control of your computer.

Javascript alerts

Certain applications may make use of javascript functions like alert, confirm or prompt to ask the user for important information. These functions will trigger a box to appear, usually on the upper part of the screen, but this may vary depending on the supplied text message.

This is another example of a window that can be drawn inside a webpage inviting a user to type private information.

Operating System

Copying the visual aspect of native windows or prompts from the underlying operating system can also be used to create an attack scenario. There are several different system prompts that may be shown by your OS, such as:

  • An update is available or required for the browser or OS
  • User credentials are required to perform an operation
  • User access control requires the user's permission to perform an operation

Summing Up

As we can see there are a lot of deception techniques that can lure the user into performing unwanted operations. But there are some things that can be done to mitigate this both from a company’s perspective and from a user’s side.

From a company perspective, they are responsible for the user experience and security inside their applications and should implement systems and/or mechanisms into their web pages to mitigate some of these attacks.

In short, the type of attacks we saw consist in:

  • Creating and appending elements - e.g creating an iframe
  • Poisoning functions - e.g alter login function
  • Editing element attributes - e.g changing a link

And these kinds of malicious behaviors can be detected or even blocked if a client-side security solution is implemented on the web pages.  

User-Awareness Guidelines

Even though we are describing attacks that may deceive even the savviest users, there are a few subtle clues that can be used to detect this kind of attack.

  • Users can click the suspect window title bar and drag it around the screen. A legitimate window can be dragged anywhere without limitations whilst a fake window will stay within the boundaries of its parent browser window.
  • Users can hover the mouse cursor over the browser icon in the taskbar. If the popup is a real browser window, there should be (at least) two instances of the browser running, but if not, then the user would only see one instance.
  • Users can right-click the title bar of the suspect window. The context menu of a legitimate popup should display tab/window related options, like “New Tab” or “Close”, but a fake window will show content-related options like "Back", "View Page Source" or "Inspect".
  • Users can look for active or focused windows. There should only be a single active/focused window at a time. A fake window will appear focused while the parent real window is still focused.


Even something seemingly legit can be compromised and used by threat actors to access sensitive intel. Many companies chose to protect their users with client-side solutions like Jscrambler’s. These solutions provide an additional layer of protection that will render most of these attacks unfeasible or unpractical.

But most websites do not have this kind of protection and the responsibility is left to the user. This is why User awareness defines a key aspect of user and information security.

JscramblerThe leader in client-side Web security. With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart.
View All Posts

Subscribe to our weekly newsletter

Learn more about new security threats and technologies.

I agree to receive these emails and accept the Privacy Policy.
Projeto Co-Financiado por (Mais info)Norte 2020, Portugal 2020, FEDR