{"id":25323,"date":"2026-03-04T18:34:52","date_gmt":"2026-03-04T14:34:52","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=25323"},"modified":"2026-03-04T18:34:52","modified_gmt":"2026-03-04T14:34:52","slug":"browser-in-the-browser-phishing-facebook","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/browser-in-the-browser-phishing-facebook\/25323\/","title":{"rendered":"Browser-in-the-browser attacks: from theory to reality"},"content":{"rendered":"

In 2022, we dived deep into an attack method called browser-in-the-browser<\/a> \u2014 originally developed by the cybersecurity researcher known as mr.d0x<\/em>. Back then, no actual examples existed of this model being used in the wild. Fast-forward four years, and browser-in-the-browser attacks have graduated from the theoretical to the real: attackers are now using them in the field. In this post, we revisit what exactly a browser-in-the-browser attack is, show how hackers are deploying it, and, most importantly, explain how to keep yourself from becoming its next victim.<\/p>\n

What is a browser-in-the-browser (BitB) attack?<\/h2>\n

For starters, let\u2019s refresh our memories on what mr.d0x<\/em> actually cooked up<\/a>. The core of the attack stems from his observation of just how advanced modern web development tools \u2014 HTML, CSS, JavaScript, and the like \u2014 have become. It\u2019s this realization that inspired the researcher to come up with a particularly elaborate phishing model.<\/p>\n

A browser-in-the-browser attack is a sophisticated form of phishing that uses web design to craft fraudulent websites imitating login windows for well-known services like Microsoft, Google, Facebook, or Apple that look just like the real thing. The researcher\u2019s concept involves an attacker building a legitimate-looking site to lure in victims. Once there, users can\u2019t leave comments or make purchases unless they \u201csign in\u201d first.<\/p>\n

Signing in seems easy enough: just click the Sign in with <\/em>{popular service name}<\/em> button. And this is where things get interesting: instead of a genuine authentication page provided by the legitimate service, the user gets a fake form rendered inside the malicious site, looking exactly like\u2026 a browser pop-up. Furthermore, the address bar in the pop-up, also rendered by the attackers, displays a perfectly legitimate<\/em> URL. Even a close inspection won\u2019t reveal the trick.<\/p>\n

From there, the unsuspecting user enters their credentials for Microsoft, Google, Facebook, or Apple into this rendered window, and those details go straight to the cybercriminals. For a while this scheme remained a theoretical experiment by the security researcher. Now \u2014 real-world attackers have added it to their arsenals.<\/p>\n

Facebook credential theft<\/h2>\n

Attackers have put their own spin on mr.d0x\u2019s<\/em> original concept: recent browser-in-the-browser hits have been kicking off with emails<\/a> designed to alarm recipients. For instance, one phishing campaign posed as a law firm informing the user they\u2019d committed a copyright violation by posting something on Facebook. The message included a credible-looking link allegedly to the offending post.<\/p>\n

\"Phishing<\/a>

Attackers sent messages on behalf of a fake law firm alleging copyright infringement \u2014 complete with a link supposedly to the problematic Facebook post. Source<\/a><\/p><\/div>\n

Interestingly, to lower the victim\u2019s guard, clicking the link didn\u2019t immediately open a fake Facebook login page. Instead, they were first greeted by a bogus Meta CAPTCHA. Only after passing it was the victim presented with the fake authentication pop-up.<\/p>\n

\"Fake<\/a>

This isn\u2019t a real browser pop-up; it\u2019s a website element mimicking a Facebook login page \u2014 a ruse that allows attackers to display a perfectly convincing address. Source <\/a><\/p><\/div>\n

Naturally, the fake Facebook login page followed mr.d0x\u2019s<\/em> blueprint: it was built entirely with web design tools to harvest the victim\u2019s credentials. Meanwhile, the URL displayed in the forged address bar pointed to the real Facebook site \u2014 www.facebook.com.<\/p>\n

How to avoid becoming a victim<\/h2>\n

The fact that scammers are now deploying browser-in-the-browser attacks just goes to show that their bag of tricks is constantly evolving. But don\u2019t despair \u2014 there\u2019s a way to tell if a login window is legit. A password manager<\/a>\u00a0is your friend here, which, among other things, acts as a reliable security litmus test for any website.<\/p>\n

That\u2019s because when it comes to auto-filling credentials, a password manager looks at the actual URL, not what the address bar appears<\/em> to show, or what the page itself looks like. Unlike a human user, a password manager<\/a>\u00a0can\u2019t be fooled with browser-in-the-browser tactics, or any other tricks, like domains having a slightly different address (typosquatting) or phishing forms buried in ads and pop-ups. There\u2019s a simple rule: if your password manager offers to auto-fill your login and password, you\u2019re on a website you\u2019ve previously saved credentials for. If it stays silent, something\u2019s fishy.<\/p>\n

Beyond that, following our time-tested advice will help you defend against various phishing methods, or at least minimize the fallout if an attack succeeds:<\/p>\n