Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
Crowdstrike 320×100
Banner Ransomfeed 970x120 1
Sneaky2FA: The phishing scam that steals credentials with browser-in-the-browser attacks

Sneaky2FA: The phishing scam that steals credentials with browser-in-the-browser attacks

Redazione RHC : 22 November 2025 08:39

Push Security specialists have noticed that the Sneaky2FA phishing platform now supports browser-in-the-browser attacks, which allow the creation of fake login windows and the theft of credentials and sessions.

Sneaky2FA and other PhaaS (phishing-as-a-service)

Sneaky2FA is one of the most popular Phishing-as-a-Service (PhaseaS) services among cybercriminals. Along with Tycoon2FA and Mamba2FA , Sneaky2FA primarily targets Microsoft 365 account theft.

This phishing kit is known for attacks using SVG and the “attacker-in-the-middle” tactic: the authentication process is forwarded via a phishing page to the real service, allowing attackers to intercept session tokens.

As a result, even with two-factor authentication (2FA) enabled, attackers gain access to the victim’s account.

The browser-in-the-browser (BitB) attack technique

The browser-in-the-browser (BitB) attack technique was first described in 2022 by a security researcher known under the pseudonym mr.d0x. He demonstrated that browser-in-the-browser attacks enable the creation of phishing login forms using fake browser windows.

The attack relies on the fact that when you access a website, a message often appears prompting you to sign in using a Google, Microsoft, Apple, Twitter, Facebook, Steam , or other account. Clicking such a button (for example, “Sign in with Google “) opens a Single Sign-On (SSO) window in the browser, prompting you to enter your credentials and log in with that account.

These windows are truncated, displaying only the login form and an address bar displaying the URL. This URL verifies that the site is being accessed through a real domain (e.g., google.com), further strengthening the user’s trust in the process.

Essentially, attackers create fake browser windows within real browser windows and present victims with login pages or other forms to steal credentials or one-time passcodes (OTPs).

Example of a browser-in-the-browser (BitB) attack

Sneaky2F and browser-in-the-browser (BitB)

BitB is now actively used in Sneaky2F: the fake page dynamically adapts to the victim’s operating system and browser (for example, imitating Edge on Windows or Safari on macOS).

The attack works as follows:

  • You are required to sign in with a Microsoft account to view the document;
  • After clicking, a fake BitB window appears with a fake Microsoft address bar;
  • Inside the window, a reverse proxy phishing page is loaded that exploits the real login process to steal credentials and a session token.

Essentially, using BitB’s technique adds an additional layer of deception to Sneaky2FA’s existing capabilities.

Researchers note that the phishing kit uses advanced HTML and JavaScript obfuscation to evade static detection (the text is interspersed with invisible tags, and the interface elements are encoded images). While everything appears normal to the user, this hinders the functioning of security tools. Additionally, Sneaky2FA redirects bots and researchers to a separate, harmless page.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli