Man, just when we think we have this cybersecurity thing figured out someone throws a wrench in the works. One of the easiest ways to see if a website is shady is no longer as solid as it once was. Conventional wisdom says checking the URL is one of the surest ways to spot an imposter. That is no longer the case.
The URL is a web address like https://www.google.co.zw/
See, faked websites have typos in their URLs that fool people who just don’t know to check for that and those who are not paying attention. For example, instead of cbzbank.co.zw (the correct CBZ website) a fake website may be cdzbank.co.zw. The aim being to get users to input their login credentials on the fake website.
Generally, no one can use someone else’s registered domain name and so scammers cannot use the actual URL of the website they seek to imitate. Hence why they change a few letters. That’s what made the advice to just check the URL solid advice.
The browser-in-the-browser (BitB) attack
A security researcher found that it is possible to create a Chrome window that looks legit, including a typo-free URL. The BitB attack simulates the browser windows that pop up asking you to log in to continue. We use Google, Microsoft, Facebook, Apple, Twitter and others’ authentication services to make it easier and safer to log into different websites. It is those pop ups that are being simulated by the BitB attack.
Before the BitB attack was made public, one would have been comfortable with the pop up above. The URL looks legit, there is a padlock indicating a secure website and there are no other obvious warning signs – the page loaded up well and there are no graphic irregularities.
Now, in the age of the BitB attack, that won’t be enough. That can all be faked. So, are we doomed? Not necessarily, there are still ways to ensure we don’t fall for attacks like these.
There is hope
For one, the BitB works after one has already been duped into visiting a malicious site. So, if you’re on a legit website, a scammer cannot intercept the login pop up there to our knowledge. So, one of the rules of the web becomes even more important – be suspicious of links that are shared with you. If you never find yourself on a malicious website, the BitB attack is unlikely to get you.
Then there is the protection that password managers provide. The BitB attack may fool the human through perfectly copied pop up but password managers won’t fall for its deception. BitB does not render real forms and so other software like password managers won’t see it as a real browser window. Therefore there will be no password autofill, protecting the user.
So, it might be time to think about using those password managers. Find out more about password managers from my colleague who explains why he settled on Bitwarden: