If you believe that activating two-factor authentication (2FA) guarantees your safety every time, then I've got some bad news for you. The phishing tool called Sneaky2FA has just received a terrifying upgrade. It now uses a method called Browser-in-the-Browser (BitB) - a fake login window that is so realistic you might not even realize there is a problem.
What astonished me about Sneaky2FA, is that it is now using the BitB attack method. This method presents a fake login pop-up inside your browser that mimics a real Microsoft or Google login window. It looks and feels very safe and what you're actually doing is typing your login credentials into a fake window.
Using these fake login pop-ups makes it almost feel like someone is wearing your mask made from your browser.
Here’s what I think everyone should do:
What is Sneaky2FA?
Sneaky2FA is a phishing kit that cybercriminals have used for quite some time. Sneaky2FA does more than steal your email or social media password - It also copies the entire login process including stealing your 2FA code.What astonished me about Sneaky2FA, is that it is now using the BitB attack method. This method presents a fake login pop-up inside your browser that mimics a real Microsoft or Google login window. It looks and feels very safe and what you're actually doing is typing your login credentials into a fake window.
Using these fake login pop-ups makes it almost feel like someone is wearing your mask made from your browser.
How the Browser-in-the-Browser (BitB) ruse works
How it works:- You click on a standard link, such as a document shared with you
- A “login window” appears in the page
- The “window” is spot on — complete with a legitimate-looking URL, a lock icon, etc.
- You put in your email, password, and the 2FA code
- Criminals have protocol to capture your data the moment you entered your information
- Many individuals think that “I have 2FA, I’m safe.” Yet it steals the login token so the attacker signs in as you
- Sneaky2FA is a paid service (PhaaS), which makes it easier even for novices
- Large companies that rely solely on password + 2FA are becoming vulnerable.
What you should do (and what I think)
To be honest I think 2FA is great, however, services like Sneaky2FA show that 2FA in isolation no longer is sufficient.Here’s what I think everyone should do:
- Use stronger authentication mechanisms like hardware security keys or passkeys, since these are significantly harder to pretend to be.
- Look out for any strange logged in activity, like if someone is in your logged-in session but using a different device.
- Understand what a real login looks like. If a login modal pops up embedded in the web page instead of a new tab popping up—that is not a normal state of the world.
- Look at the device details that may seem strange or out of character.