Normal view
-
Kaspersky official blog

- What a browser-in-the-browser attack is, and how to spot a fake login window | Kaspersky official blog
What a browser-in-the-browser attack is, and how to spot a fake login window | Kaspersky official blog
In 2022, we dived deep into an attack method called browser-in-the-browser β originally developed by the cybersecurity researcher known as mr.d0x. Back then, no actual examples existed of this model being used in the wild. Fast-forward four years, and browser-in-the-browser attacks have graduated from the theoretical to the real: attackers are now using them in the field. In this post, we revisit what exactly a browser-in-the-browser attack is, show how hackers are deploying it, and, most importantly, explain how to keep yourself from becoming its next victim.
What is a browser-in-the-browser (BitB) attack?
For starters, letβs refresh our memories on what mr.d0x actually cooked up. The core of the attack stems from his observation of just how advanced modern web development tools β HTML, CSS, JavaScript, and the like β have become. Itβs this realization that inspired the researcher to come up with a particularly elaborate phishing model.
A browser-in-the-browser attack is a sophisticated form of phishing that uses web design to craft fraudulent websites imitating login windows for well-known services like Microsoft, Google, Facebook, or Apple that look just like the real thing. The researcherβs concept involves an attacker building a legitimate-looking site to lure in victims. Once there, users canβt leave comments or make purchases unless they βsign inβ first.
Signing in seems easy enough: just click the Sign in with {popular service name} button. And this is where things get interesting: instead of a genuine authentication page provided by the legitimate service, the user gets a fake form rendered inside the malicious site, looking exactly likeβ¦ a browser pop-up. Furthermore, the address bar in the pop-up, also rendered by the attackers, displays a perfectly legitimate URL. Even a close inspection wonβt reveal the trick.
From there, the unsuspecting user enters their credentials for Microsoft, Google, Facebook, or Apple into this rendered window, and those details go straight to the cybercriminals. For a while this scheme remained a theoretical experiment by the security researcher. Now β real-world attackers have added it to their arsenals.
Facebook credential theft
Attackers have put their own spin on mr.d0xβs original concept: recent browser-in-the-browser hits have been kicking off with emails designed to alarm recipients. For instance, one phishing campaign posed as a law firm informing the user theyβd committed a copyright violation by posting something on Facebook. The message included a credible-looking link allegedly to the offending post.
Attackers sent messages on behalf of a fake law firm alleging copyright infringement β complete with a link supposedly to the problematic Facebook post. Source
Interestingly, to lower the victimβs guard, clicking the link didnβt immediately open a fake Facebook login page. Instead, they were first greeted by a bogus Meta CAPTCHA. Only after passing it was the victim presented with the fake authentication pop-up.
This isnβt a real browser pop-up; itβs a website element mimicking a Facebook login page β a ruse that allows attackers to display a perfectly convincing address. Source
Naturally, the fake Facebook login page followed mr.d0xβs blueprint: it was built entirely with web design tools to harvest the victimβs credentials. Meanwhile, the URL displayed in the forged address bar pointed to the real Facebook site β www.facebook.com.
How to avoid becoming a victim
The fact that scammers are now deploying browser-in-the-browser attacks just goes to show that their bag of tricks is constantly evolving. But donβt despair β thereβs a way to tell if a login window is legit. A password managerΒ is your friend here, which, among other things, acts as a reliable security litmus test for any website.
Thatβs because when it comes to auto-filling credentials, a password manager looks at the actual URL, not what the address bar appears to show, or what the page itself looks like. Unlike a human user, a password managerΒ canβt be fooled with browser-in-the-browser tactics, or any other tricks, like domains having a slightly different address (typosquatting) or phishing forms buried in ads and pop-ups. Thereβs a simple rule: if your password manager offers to auto-fill your login and password, youβre on a website youβve previously saved credentials for. If it stays silent, somethingβs fishy.
Beyond that, following our time-tested advice will help you defend against various phishing methods, or at least minimize the fallout if an attack succeeds:
- Enable two-factor authentication (2FA) for every account that supports it. Ideally, use one-time codes generated by a dedicated authenticator app as your second factor. This helps you dodge phishing schemes designed to intercept confirmation codes sent via SMS, messaging apps, or email. You can read more about one-time-code 2FA in our dedicated post.
- Use passkeys. The option to sign in with this method can also serve as a signal that youβre on a legitimate site. You can learn all about what passkeys are and how to start using them in our deep dive into the technology.
- Set unique, complex passwords for all your accounts. Whatever you do, never reuse the same password across different accounts. We recently covered what makes a password truly strong on our blog. To generate unique combinations β without needing to remember them β Kaspersky Password ManagerΒ is your best bet. As an added bonus, it can also generate one-time codes for two-factor authentication, store your passkeys, and synchronize your passwords and files across your various devices.
Finally, this post serves as yet another reminder that theoretical attacks described by cybersecurity researchers often find their way out into the wild. So, keep an eye on our blog, and subscribe to our Telegram channelΒ to stay up to speed on the latest threats to your digital security and how to shut them down.
Read about other inventive phishing techniques scammers are using day in day out:




'Bèta WhatsApp Web heeft ondersteuning voor bellen en videobellen'
Vivaldi 7.8 maakt van tabbladen vrij te slepen tegels voor multitasken
Gemini-assistent kan in VS zelfstandig taken uitvoeren in Google Chrome
Google Chrome krijgt volgende week waarschijnlijk verticale tabbladbalk
Opera werkt aan Linux-versie van GX-browser voor gamers
Mozilla voegt 25 jaar na verzoek functie toe om sneltoetsen te personaliseren
Google voegt langverwachte ondersteuning JPEG XL toe aan Chrome
Kagi brengt alfaversie van Orion-browser voor Linux uit voor Orion+-abonnees
-
Kaspersky official blog

- The Stealka stealer hijacks accounts and steals crypto while masquerading as pirated software | Kaspersky official blog
The Stealka stealer hijacks accounts and steals crypto while masquerading as pirated software | Kaspersky official blog
In November 2025, Kaspersky experts uncovered a new stealer named Stealka, which targets Windows usersβ data. Attackers are using Stealka to hijack accounts, steal cryptocurrency, and install a crypto miner on their victimsβ devices. Most frequently, this infostealer disguises itself as game cracks, cheats and mods.
Hereβs how the attackers are spreading the stealer, and how you can protect yourself.
How Stealka spreads
A stealer is a type of malware that collects confidential information stored on the victimβs device and sends it to the attackersβ server. Stealka is primarily distributed via popular platforms like GitHub, SourceForge, Softpedia, sites.google.com, and others, disguised as cracks for popular software, or cheats and mods for games. For the malware to be activated, the user must run the file manually.
Hereβs an example: a malicious Roblox mod published on SourceForge.
And hereβs one on GitHub posing as a crack for Microsoft Visio.
Sometimes, however, attackers go a step further (and possibly use AI tools) to create entire fake websites that look quite professional. Without the help of a robust antivirus, the average user is unlikely to realize anything is amiss.
Admittedly, the cracks and software advertised on these fake sites can sometimes look a bitΒ off. For example, here the attackers are offering a download for Half-Life 3, while at the same time claiming itβs not actually a game but some kind of βprofessional software solution designed for Windowsβ.
Malware disguised as Half-Life 3, which is also somehow βa professional software solution designed for Windowsβ. A lot of professionals clearly spent their best years on this softwareβ¦
The truth is that both the page title and the filename are just bait. The attackers simply use popular search terms to lure users into downloading the malware. The actual file content has nothing to do with whatβs advertised β inside, itβs always the same infostealer.
The site also claimed that all hosted files were scanned for viruses. When the user decides to download, say, a pirated game, the site displays a banner saying the file is being scanned by various antivirus engines. Of course, no such scanning actually takes place; the attackers are merely trying to create an illusion of trustworthiness.
What makes Stealka dangerous
Stealka has a fairly extensive arsenal of capabilities, but its prime target is data from browsers built on the Chromium and Gecko engines. This puts over a hundred different browsers at risk, including popular ones like Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, as well as many, many others.
Browsers store a huge amount of sensitive information, which attackers use to hijack accounts and continue their attacks. The main targets are autofill data, such as sign-in credentials, addresses, and payment card details. Weβve warned repeatedly that saving passwords in your browser is risky β attackers can extract them in seconds. Cookies and session tokens are perhaps even more valuable to hackers, as they can allow criminals to bypass two-factor authentication and hijack accounts without entering the password.
The story doesnβt end with the account hack. Attackers use these compromised accounts to spread the malware further. For example, we discovered the stealer in a GTAV mod posted on a dedicated site by an account that had previously been compromised.
Beyond stealing browser data, Stealka also targets the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA services. Here are some of the most popular extensions now at risk:
- Crypto wallets: Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Exodus
- Two-factor authentication: Authy, Google Authenticator, Bitwarden
- Password management: 1Password, Bitwarden, LastPass, KeePassXC, NordPass
Finally, the stealer also downloads local settings, account data, and service files from a wide variety of applications:
- Crypto wallets. Wallet configurations may contain encrypted private keys, seed-phrase data, wallet file paths, and encryption parameters. Thatβs enough to at least make an attempt at stealing your cryptocurrency. At risk are 80 wallet applications, including Binance, Bitcoin, BitcoinABC, Dogecoin, Ethereum, Exodus, Mincoin, MyCrypto, MyMonero, Monero, Nexus, Novacoin, Solar, and many others.
- Messaging apps. Messaging app service files store account data, device identifiers, authentication tokens, and the encryption parameters for your conversations. In theory, a malicious actor could gain access to your account and read your chats. At risk are Discord, Telegram, Unigram, Pidgin, Tox, and others.
- Password managers. Even if the passwords themselves are encrypted, the configuration files often contain information that makes cracking the vault significantly easier: encryption parameters, synchronization tokens, and details about the vault version and structure. At risk are 1Password, Authy, Bitwarden, KeePass, LastPass, and NordPass.
- Email clients. These are where your account credentials, mail server connection settings, authentication tokens, and local copies of your emails can be found. With access to your email, an attacker will almost certainly attempt to reset passwords for your other services. At risk are Gmail Notifier Pro, Claws, Mailbird, Outlook, Postbox, The Bat!, Thunderbird, and TrulyMail.
- Note-taking apps. Instead of shopping lists or late-night poetry, some users store information in their notes that has no business being there, like seed phrases or passwords. At risk are NoteFly, Notezilla, SimpleStickyNotes, and Microsoft StickyNotes.
- Gaming services and clients. The local files of gaming platforms and launchers store account data, linked service information, and authentication tokens. At risk are Steam, Roblox, Intent Launcher, Lunar Client, TLauncher, Feather Client, Meteor Client, Impact Client, Badlion Client, and WinAuth for battle.net.
- VPN clients. By gaining access to configuration files, attackers can hijack the victimβs VPN account to mask their own malicious activities. At risk are AzireVPN, OpenVPN, ProtonVPN, Surfshark, and WindscribeVPN.
Thatβs an extensive list β and we havenβt even named all of them! In addition to local files, this infostealer also harvests general system data: a list of installed programs, the OS version and language, username, computer hardware information, and miscellaneous settings. And as if that werenβt enough, the malware also takes screenshots.
How to protect yourself from Stealka and other infostealers
- Secure your device with reliable antivirus software. Even downloading files from legitimate websites is no guarantee of safety β attackers leverage trusted platforms to distribute stealers all the time. Kaspersky PremiumΒ detects malware on your computer in time and alerts you to the threat.
- Donβt store sensitive information in browsers. Itβs handy β no one can argue with that. But unfortunately browsers arenβt the most secure environment for your data. Sign-in credentials, bank card details, secret notes, and other confidential information are better kept in a securely encrypted format in Kaspersky Password Manager, which is immune to the exploits used by Stealka.
- Be careful with game cheats, mods, and especially pirated software. Itβs better to pay up for official software than to chase the false savings offered by software cracks, and end up losing all your money.
- Enable two-factor authentication or use backup codes wherever possible. Two-factor authentication (2FA) makes life much harder for attackers, while backup codes help you regain access to your critical accounts if compromised. Just be sure not to store backup codes in text documents, notes, or your browser. For all your backup codes and 2FA tokens, use a reliable password manager.
Curious what other stealers are out there, and what theyβre capable of? Read more in our other posts:




Browser Plugin Oversharing
Brian King // Β Do you know what that browser plugin is doing? Thereβs a browser plugin for just about everything. You can find one to change the name of [β¦]
The post Browser Plugin Oversharing appeared first on Black Hills Information Security, Inc..