Cybercriminals are employing a sophisticated new phishing kit, dubbed "Sneaky 2FA," which utilizes a deceptive Browser-in-the-Browser (BitB) technique to trick users into revealing their login credentials. This advanced method creates fake browser windows that perfectly mimic legitimate login pages, making it significantly harder for victims to detect fraudulent attempts.

Key Takeaways

• The "Sneaky 2FA" phishing kit now incorporates Browser-in-the-Browser (BitB) technology.

• BitB creates fake browser windows that impersonate legitimate login pages, complete with realistic URLs.

• This technique aims to steal Microsoft account credentials and other sensitive information.

• Attackers are using bot protection and conditional loading to evade detection.

• The evolution of phishing kits highlights the ongoing arms race in cybersecurity.

The Browser-in-the-Browser Deception

The Browser-in-the-Browser (BitB) technique, first detailed in March 2022, leverages HTML and CSS to construct convincing fake browser windows. These pop-ups are designed to mask malicious phishing URLs by presenting a seemingly normal in-browser authentication process. The fake window displays a legitimate-looking URL, such as a Microsoft login address, leading victims to believe they are interacting with a trusted service.

In a recent observed attack chain, users who clicked on a suspicious link were first presented with a Cloudflare Turnstile check. Upon passing this bot protection, they were shown a "Sign in with Microsoft" button. Clicking this button triggered the BitB technique, loading a phishing page within an embedded browser window that exfiltrated the entered credentials and session details to the attackers.

Evading Detection and Analysis

To further enhance their evasion capabilities, the operators behind Sneaky 2FA are implementing several advanced tactics. These include the use of bot protection technologies like CAPTCHA and Cloudflare Turnstile to prevent automated analysis and security tools from accessing their phishing pages. Additionally, conditional loading techniques ensure that only intended targets access the malicious content, while others are either filtered out or redirected to benign websites.

The Sneaky 2FA kit itself is known for its resistance to analysis. It employs obfuscation methods and disables browser developer tools to thwart attempts to inspect its code. Furthermore, the phishing domains are rapidly rotated to minimize the chances of detection by security vendors.

Broader Trends in Phishing Attacks

The integration of BitB into phishing kits like Sneaky 2FA underscores the continuous innovation within the Phishing-as-a-Service (PhaaS) ecosystem. As identity-based attacks remain a leading cause of data breaches, threat actors are incentivized to refine their infrastructure and techniques.

This development also comes amidst research into other advanced attack vectors, such as the "Passkey Pwned Attack," which can manipulate WebAuthn APIs using malicious browser extensions to bypass passkey authentication. Additionally, downgrade attacks are being used by some kits to trick users into selecting less secure, phishable authentication methods even when passkeys are available.

Security experts advise users to remain vigilant against suspicious messages and browser extensions. Organizations are encouraged to implement conditional access policies to mitigate account takeover risks by enforcing stricter login criteria.

Sources

• Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar, The Hacker News.