loginradiusloginradius Blog

BITB Attacks: The New Destructive Phishing Technique

The browser in the browser attack (BITB) is the latest form of phishing scam that simulates a browser window within a web browser and steals sensitive user information. Let’s understand the aspects of Browser in-browser attacks and how businesses can ensure stringent security for their consumers and employees to protect against these attacks.


Phishing attacks aren’t uncommon, and we’ve all witnessed fake emails and messages that demand urgent attention at least once. However, there’s much more in the cybersecurity landscape than just conventional email practices when it comes to phishing.

A phishing attack can be a death blow for enterprises that don't take the necessary precautions. The top line is affected, but the brand's image and trust can be obliterated if news of a data breach reaches the public.

The browser in the browser attack (BITB) is the latest form of phishing scam that simulates a browser window within a web browser and steals sensitive user information.

The user is catered with a fraudulent pop-up window that asks for their credentials for signing into the website in the previous web browser window and thus leads to identity theft.

Let’s understand the aspects of Browser in-browser attacks and how businesses can ensure stringent security for their consumers and employees to protect against these attacks.

What is Browser in the Browser Attacks? Who all are at a Higher Risk?

Whenever a user chooses a single sign-on (SSO) option in a website or web application for signing in to their account for multiple interconnected applications, the fraudulent pop-up will be displayed to collect sensitive information about the user, including login credentials.

Moreover, the significant difference between a phishing scam and a BIBT attack is that the pop-up window during the sign-in process would show any URL that matches the authentic one.

In a nutshell, cybercriminals simulate a web browser window within a web browser for spoofing a legitimate domain. This attack majorly exploits the single sign-on (SSO) option, which users always prefer to stay logged in to different interconnected websites or applications.

Users don’t wish to remember long credentials. They are hesitant to provide their credentials again and again, which gives an advantage to cybercriminals as they exploit the single sign-on login preference since users can’t differentiate between a fake domain or a legitimate one once a pop-up window appears.

Various businesses offering single sign-on to their consumers for a seamless user experience across their multiple applications are always at a higher risk of compromising sensitive consumer information by falling prey to these browsers in the browser attacks.

However, the businesses offering SSO capabilities must understand the risks associated with SSO and incorporate stringent security mechanisms to protect their consumer information.

How Businesses Can Avoid Browser in the Browser Attacks

Since SSO has provided endless opportunities to businesses and consumers, avoiding the use of SSO isn’t a great option at all.

Adding multiple layers of security while implementing single sign-on (SSO) could help businesses prevent browser in the browser attacks and help mitigate other associated risks.


Let’s understand how businesses can reinforce security against BITB attacks.

Incorporating multi-factor authentication (MFA)

Multi-factor authentication (or MFA) is a multi-layered security system that verifies the identity of users for login or other transactions.

By leveraging multiple authentication layers, the user account will remain secure even if one element is damaged or disabled.

Codes generated by smartphone apps, answers to personal security questions, codes sent to an email address, fingerprints, etc., are a few examples of multi-factor authentication implemented in day-to-day scenarios.

Adding MFA to your security policy could prevent your users from compromising their identities during a browser in the browser attack but also helps ensure robust safety for your sensitive business information.

The use of software and even hardware tokens for dual identity verification is a highly-efficient way of reinforcing security against BITB attacks.

Choosing risk-based authentication (RBA)

Risk-based authentication or adaptive authentication is the one-stop solution for preventing browser in the browser attacks.

RBA is a method of applying various levels of stringency to authentication processes based on the likelihood that access to a given system could be compromised. As the level of risk increases, authentication becomes more restrictive.

Hence, RBA automatically incorporates another layer of authentication in a high-risk situation like a BITB attack, and the user’s identity remains protected.

Risk-based authentication can be incorporated through a cloud-based consumer identity and access management (CIAM) platform that restricts unauthorized access even if the users leverage single sign-on capabilities.

Zero trust architecture

Zero trust is the security concept based on a belief that enterprises shouldn’t automatically trust any device or individual, whether inside or outside its perimeters and strictly verify everything before granting access.

In a nutshell, zero trust relies on the principle of “don’t trust anyone.” This architecture cuts all the access points until proper verification is done and trust is established.

No access is provided until the system verifies the individual or device demanding access to the IP address, device, or storage.

Final Thoughts

Since global businesses face enormous challenges when it comes to ensuring robust security for their consumers, relying on MFA, RBA, and zero trust architecture can provide the highest level of security when it comes to preventing browser in the browser attacks.

Businesses can choose a reliable CIAM solution like LoginRadius that helps brands secure their consumer identities by leveraging the true potential of multi-factor authentication, risk-based authentication, and zero trust architecture.

If you wish to see the future of CIAM in action and understand how it works for your brand, reach us to schedule a personalized demo.


Gurjyot Singh

Written by Gurjyot Singh

Gurjyot Singh is an Application Support Engineer at LoginRadius. Handles day-to-day customer technical queries regarding integration and implementation of various web technologies. He is an ardent, focused and exuberant person who has enhanced his knowledge in the web domain by working on various projects and learning on his own. He is a passionate learner and voracious coder with high ambition. In his leisure time he usually goes for photography.

LoginRadius CIAM Platform

Our Product Experts will show you the power of the LoginRadius CIAM platform, discuss use-cases, and prove out ROI for your business.

Book A Demo Today