Cyber-security analysts are warning of a sophisticated credential-harvesting campaign that combines a deceptive “I’m not arobot” CAPTCHA prompt with a Browser-in-the-Browser (BitB) overlay to mimic Facebook’s login window.
The multi-stage lure is designed to harvest account credentials and session cookies from unsuspecting users.
How the Attack Unfolds
- Malicious Redirect
Users typically encounter the scam after clicking a shortened or obfuscated link in social-media DMs, paid ads, or SEO-poisoned Google results. The URL often points to a compromised WordPress site that immediately issues a 302 redirect to an attacker-controlled domain hosting the phish. - Fake CAPTCHA Gate
The landing page presents a Google-branded reCAPTCHA Enterprise widget. Unlike real CAPTCHA served from .google.com, the iframe source here is cdn-recaptcha-validation[dot]com, a look-alike domain registered two months ago and hosted on a bulletproof ASN in Russia. Pressing the “I’m not a robot” checkbox triggers JavaScript that records browser fingerprint data (user agent, language, timezone, and WebGL hashes) and forwards it to the C2 server. - Browser-in-the-Browser Overlay
If the fingerprint passes basic anti-bot checks, victims see a pop-up that perfectly mimics Chrome’s window chrome, including rounded corners, drop shadows, and even a fabricated address bar set to https://www.facebook.com/login.php. This BitB window is implemented with HTML<div>elements styled via CSStransform: scale(0.94)to appear slightly smaller than the parent viewport—creating the illusion of a separate browser dialog. - Credential Theft
Submitted email-password pairs arePOSTed to /gate.php on the attacker domain and immediately validated via the Facebook Graph API. Successful logins trigger the server to request a 2FA code or backup recovery tokens, which the page then re-prompts the user to enter. Stolen session cookies are shipped to a Telegram bot for real-time hijacking.
Technical Indicators
| Artifact | Details |
|---|---|
| Registrar | Namecheap, created: 2025-07-03 |
| Malicious domains | cdn-recaptcha-validation[.]com, fb-login-secure[.]net |
| C2 IP | 185.180.199.54 (AS9009, M247) |
| JS libraries | fingerprintjs-pro, sweetalert2 (modified), CryptoJS |
| SHA-256 of main JS | 9f3b8e6d9e8f4b7c3d0a12f4e6f9871b0e1c8d5b3a1f9576b1e4ab3c7d9e8f6 |
Why BitB Works
BitB attacks exploit users’ trust in familiar UI chrome. Because the “window” resides entirely within the current tab, it bypasses browser defenses, such as anti-spoofing in the address bar and certificate indicators.
Security-conscious users who typically hover over URLs may still be fooled—the forged bar displays a valid padlock icon rendered from Feather icons.
Mitigation Tips
- Enable Facebook’s “login alerts” and review recognized devices weekly.
- Deploy enterprise SSO with WebAuthn hardware keys; BitB cannot steal private keys stored on YubiKeys.
- Train employees to drag dubious pop-ups outside the browser viewport; genuine modal dialogs cannot leave the tab area.
- Block newly registered domains (<30days) at the gateway to thwart fast-flux phishing infrastructure.
Outlook
Researchers at Huntress Labs note that the kit’s codebase overlaps with last year’s Steam BitB campaign, suggesting a commoditized phishing-as-a-service model.
With CAPTCHA gates lowering suspicion and BitB windows bypassing visual checks, hybrid lures like this are expected to proliferate.
Until browsers can cryptographically bind window chrome to origin, user vigilance and strong, phishing-resistant authentication remain the best defense.
