Among the main cyber threats to organizations and businesses today, social engineering campaigns stand out. Human behavior becomes unpredictable when facing challenges and unfamiliar scenarios, making it hard to feel truly secure when interacting with technological resources tied to our personally identifiable information (PII). Browser-in-the-Middle (BitM) attacks exploit social engineering tactics to trick victims into unconsciously granting access to more valuable technical resources in the background.
What is a Browser-in-the-Middle (BitM) Attack?
Un ataque Browser-in-the-Middle (BitM) permite a los ciberdelincuentes controlar la sesión de un usuario desde el navegador, sin necesidad de comprometer el dispositivo o la red. Esta técnica se basa en la creación de un entorno web falso que imita sitios legítimos. Una vez que el usuario interactúa con la página clonada, el atacante puede interceptar datos sensibles como credenciales, tokens de acceso y códigos de autenticación multifactor.
How is it Different from a Man-in-the-Middle (MitM) Attack?
Aunque ambos buscan interceptar comunicaciones, sus métodos difieren. El MitM actúa a nivel de red, interceptando paquetes entre cliente y servidor, usualmente mediante técnicas como ARP spoofing o certificados maliciosos. En cambio, el BitM actúa directamente desde el navegador, usando interfaces visuales legítimas falsificadas para engañar al usuario y tomar el control de su sesión en tiempo real.
Key Characteristics of BitM Attacks
- Control desde navegador: No se requiere instalar malware en el equipo.
- Visual and functional interception: The attacker can view and manipulate everything the user does on the fake site.
- Captura de sesión y tokens: Incluye cookies, JWTs y otros mecanismos de autenticación.
- MFA evasion: If the user is already authenticated, the attacker can reuse the active session.
- High interface fidelity: The fake pages are almost indistinguishable from the original ones.
How a BitM Attack Works
The initial vector is often a malicious link sent via social media, SMS, or email. When clicked, the user is redirected to a cloned website that acts as an intermediary between them and the real site. This page runs in an isolated container controlled by the attacker, who can observe interactions in real time.
For example, recent campaigns have embedded malicious links in TikTok videos that redirected users to fake banking or email service websites. There, victims entered their credentials and MFA tokens, which were instantly captured and reused by the attackers.
Strategies to Protect Against BitM Attacks
- Always verify the URL before entering sensitive information.
- Avoid shortened links or those from untrusted sources.
- Usa autenticación vinculada a dispositivos, como tokens físicos o biometría.
- Implements cookies con flags Secure y HttpOnly para evitar su exposición.
- Monitor active sessions and set alerts for unusual access activity.
- Keep your browser and extensions up to date.
Additional recommendations
- Train users to recognize fake websites and suspicious behavior patterns.
- Implementa herramientas de detección de comportamiento como UEBA (User and Entity Behavior Analytics).
- Aplica políticas de Zero Trust que limiten el acceso basado en contexto y no en confianza implícita.
- Use browser security extensions that detect cloned or malicious websites.
In summary
Los ataques Browser-in-the-Middle representan una evolución peligrosa en el ámbito del robo de sesiones web. Su capacidad para operar sin malware y engañar visualmente al usuario los convierte en una amenaza crítica. La defensa efectiva depende de una combinación entre tecnologías de detección, arquitectura de seguridad avanzada y la constante educación de los usuarios.
Si estás interesado en seguir aprendiendo sobre estos temas en 7Way Security estamos disponible para continuar la conversación sobre temas de ciberseguridad.
References:
- Ja1ir4m. (2023). Browser in the Middle Attack (BitM): The Perfect Storm for Browser Hijacking. Medium. https://medium.com/ja1ir4m-redxxxploitz/browser-in-the-middle-attack-bitm-the-perfect-storm-for-browser-hijacking-b88abad8deb5
- The Hacker News. (2025, May 3). Hackers Use TikTok Videos to Distribute Browser-in-the-Middle Attack Toolkit. https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html
- The Hacker News. (2025, May 6). How Browser-in-the-Middle Attacks Steal Sessions. https://thehackernews.com/2025/05/how-browser-in-middle-attacks-steal.html
- The Hacker News. (2015, September 14). Here's How Hackers Could Hijack your HTTPS Cookies. https://thehackernews.com/2015/09/https-cookies-hacking.html
- Google Cloud Threat Intelligence. (2024). Session Stealing: Browser-in-the-Middle. https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle
- CYPTD. (2024). Beware of the Browser-in-the-Middle Attack: What It Is and How to Protect Yourself. https://cyptd.com/beware-of-the-browser-in-the-middle-attack-what-it-is-and-how-to-protect-yourself/
- Mitre Corporation. (n.d.). CAPEC-701: Browser-in-the-Middle Attack. https://capec.mitre.org/data/definitions/701.html
- Boffo, S., & Arfaoui, G. (2021). Browser-in-the-Middle (BitM) Attack. ResearchGate. https://www.researchgate.net/publication/350955017_Browser-in-the-Middle_BitM_attack
