Tricking people into handing over their login credentials has never been easier. As shown in a new phishing toolkit, Single Sign-On (SSO) pop-ups are incredibly easy to spoof in Chrome, and a login box’s URL may not indicate whether a site is truly legitimate.

You know how some websites let you log in using your Google, Apple, Facebook, or Amazon account? That’s an SSO login—it’s a valuable time-saver, as it reduces the number of usernames and passwords that you need to remember.

Here’s the problem; hackers can perfectly replicate these SSO windows in Chrome, even down to the URL. A new phishing kit from dr.d0x, a security researcher, includes a ready-made template that novice hackers or white hats can use to quickly build a convincing SSO pop-up. (Other templates may already be floating around within hacking circles.)

Hackers who utilize these fake SSO windows will stick them in all manner of websites. A hacker may send you an email about your Dropbox account, for example, and tell you to visit a certain link. This link could direct to a fake Dropbox webpage with SSO login options for Google, Apple, and Facebook. Any information you input in these fake SSO boxes, like your Google login, will be collected by the hacker.

Of course, pirate video websites (and other sites offering “free” stuff) may be the most common destination for these spoofed SSO windows. A hacker can build a pirate video website that requires an SSO login, for example, effectively forcing people to hand over their Google or Facebook credentials.

To clarify, dr.d0x did not invent the SSO or browser-in-browser phishing exploit. Hackers began spoofing SSO login windows several years ago. This phishing kit simply shows how such exploits work. Additionally, corporations may use this kit to test their employees’ ability to spot phishing schemes.

Avoiding a phishing attack can be difficult. I suggest that you start by installing a password manager, which can often detect phishing attempts and will help you use unique login information for every website (which reduces any damage from a successful phishing attack). You should also avoid opening links in emails or text messages, even if they look serious or legitimate.

Source: mr.d0x via BleepingComputer