Browser-in-the-Browser Phishing Campaigns Targeting Facebook Credentials
Threat actors have increasingly used the browser-in-the-browser (BitB) technique to steal Facebook credentials, leveraging fake in-browser pop-up login windows that closely mimic legitimate authentication flows. Trellix reported that recent campaigns commonly start with phishing emails impersonating law firms issuing copyright infringement warnings, threats of imminent account suspension, or Meta security alerts about suspicious logins; these lures often include shortened links and fake Meta CAPTCHA pages to add legitimacy before presenting the counterfeit login prompt.
Timeline
Jan 12, 2026
Trellix discloses details of Facebook-focused BitB phishing campaigns
Trellix publicly reported that attackers were using iframe-rendered fake browser pop-up windows to mimic legitimate Facebook authentication flows and steal credentials. The company also described related tactics including URL shorteners, fake Meta Privacy Center pages, and appeal forms used to collect personal information.
Jul 12, 2025
Threat actors ramp up BitB phishing to steal Facebook credentials
Over roughly the six months preceding Trellix's January 2026 reporting, multiple threat actors increasingly used browser-in-the-browser phishing pages to capture Facebook logins. The campaigns used lures such as copyright infringement notices, account suspension warnings, and Meta security alerts, often hosted on platforms like Netlify and Vercel and paired with fake Meta CAPTCHA or appeal pages.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Phishing Campaigns Exploiting Email Trust Mechanisms for Credential Theft
Attackers have launched multiple sophisticated phishing campaigns targeting business users by exploiting trusted email mechanisms and brand impersonation. One campaign abused the legitimate `@facebookmail.com` domain and Meta Business Suite’s invitation feature to send convincing phishing emails to Facebook Business users, primarily targeting companies in sectors like automotive, education, real estate, hospitality, and finance. These emails, which appeared authentic due to their origin from Meta’s infrastructure, redirected victims to credential harvesting sites, with some organizations receiving thousands of such messages. The attackers created fake business pages and mimicked official branding to increase the likelihood of success, as confirmed by security researchers who reproduced the attack method. Other campaigns have leveraged HTML attachments and spoofed internal notifications to bypass traditional email security. In Central and Eastern Europe, phishing emails with malicious HTML attachments embedded JavaScript to steal credentials, impersonating brands like Adobe and Microsoft and transmitting stolen data to attacker-controlled Telegram bots. Another campaign disguised phishing emails as spam filter alerts from within the victim’s own organization, using obfuscated code and personalized fake login screens to harvest credentials via websockets. These evolving tactics highlight the increasing sophistication of phishing operations and the need for organizations to monitor for unusual connections, inspect email content, and educate users about the risks of unsolicited attachments and internal-looking notifications.
1 months ago
Phishing-as-a-Service 'Sneaky 2FA' Kit Enables Browser-in-the-Browser Credential Theft
Threat actors are leveraging a Phishing-as-a-Service (PhaaS) kit called **Sneaky 2FA** to deploy advanced Browser-in-the-Browser (BitB) phishing attacks. This kit allows attackers to create highly convincing fake browser pop-up windows that closely mimic legitimate sign-in prompts, including a forged address bar displaying authentic-looking URLs. The technique is designed to deceive users into entering their credentials, which are then exfiltrated to the attacker. Security researchers have observed these attacks targeting Microsoft account credentials, with the kit's obfuscated code and anti-analysis features making detection and mitigation more challenging. The Sneaky 2FA kit is available on criminal marketplaces, enabling even less-skilled threat actors to launch sophisticated phishing campaigns at scale. Attackers often use additional evasion tactics, such as bot protection checks (e.g., Cloudflare Turnstile) and CAPTCHAs, to filter out automated security tools before presenting the fake login window to real users. Experts recommend using password managers, which can help detect these fake forms by refusing to autofill credentials on non-legitimate login pages, as a key defense against such deceptive phishing techniques.
1 months ago
Fake CAPTCHA/ClickFix Social Engineering Used to Deliver Malware and Steal Sessions
Threat actors are increasingly using **fake CAPTCHA / verification pages** as a scalable social-engineering lure to deliver malware and steal credentials by abusing users’ trust in routine web security checks. Research highlighted a large, fragmented ecosystem of lookalike fake CAPTCHA pages hosted across **~9,494 compromised sites and malicious properties**, where roughly **70%** of observed pages share near-identical visuals while delivering **dozens of distinct payload variants** via different execution models, including clipboard-driven instructions that lead victims to run **PowerShell** or **VBScript** downloaders. Separately, a **ClickFix** campaign targeting Facebook users—especially content creators and businesses seeking verification—uses fake “verification” portals to trick victims into manually extracting and submitting browser session tokens (notably `c_user` and `xs`) via developer tools, enabling account takeover without exploiting software vulnerabilities. In parallel, the **ClearFake** campaign (a malicious JavaScript framework injected into hacked websites) has adopted ClickFix-style fake CAPTCHA lures and added more evasive “living off the land” behavior, including **proxy execution** to run PowerShell through trusted Windows features and shifting distribution to a **popular CDN**, reducing the effectiveness of defenses that rely primarily on blocking known-bad domains/IPs.
1 months ago