Is nothing safe? Fake logins!

by | Apr 7, 2022 | News, Security

Every day, there is a new cyber-threat to watch out for, and to warn friends and colleagues about.

I’m frequently stunned when talking to friends and colleagues that these threats are abstract and academic.


For the sake of absolute clarity, these cyber risks are real and face us every day. Even small kiwi businesses are targets for hackers.

They either want to steal your data, and blackmail you into paying them, on the off-chance that you would trust someone that is fundamentally untrustworthy, or they want to use your data as a pathway to attack someone else.

The threat today is called “BITB” and that stands for “Browser in the Browser”. That isn’t as double-dutch as it sounds.

What’s happened is that we have become used to tools that ask us to login using our credentials from something else.

You’ve seen boxes like these before: (thanks LinkedIn & TripAdvisor!) I’m sure these are both perfectly secure, and the idea of logging in using trusted credentials from something like Google or Facebook makes perfect sense because it is less to remember, and it is better than having a simple password that you repeat across loads of sites.

It is called SSO (Single Sign-On) and it’s a huge help for most of us. In fact, these are so common that developers share their code with each other so they don’t all have to reinvent the wheel and write the same modules.

Unfortunately, the forces of darkness, the hackers, are starting to take advantage of our familiarity with these kinds of screens and they are creating fraudulent log in screens, even faking the URL. We haven’t seen an example ourselves so the attached image is borrowed from TechRepublic. You can see a distantly Eastern European flavour in this image, reflecting comments we’ve made in earlier posts.

The hackers still have to compromise a website and add their malicious code to it, then wait for you to happily login and enter your details. Alternatively, they will lure you to a fake website with a fake login screen that you will grant access to with your Google/Facebook etc credentials.

Your first lines of cyber defence:

  • Alert – be on your guard, as always
  • MFA – multi-factor authentication
  • Password manager – like KARE Password Vault.