The Invisible Hijack: New “Browser-in-the-Browser” Scam Targets Millions of Facebook Users

Cybersecurity experts are sounding the alarm over a sophisticated "invisible" phishing tactic that is bypasssing traditional security intuition. The technique, known as Browser-in-the-Browser (BitB), is being deployed at scale to hijack Facebook accounts, leaving even cautious users vulnerable to total profile takeovers.

According to a new threat report from cybersecurity firm Trellix, there has been a significant surge in BitB attacks. Unlike old-school phishing, which relies on typosquatted URLs (like https://www.google.com/search?q=faceb0ok.com), BitB creates a pixel-perfect "pop-up" window that exists entirely within a malicious webpage.

How the Trap is Sprung

The attack typically begins with an urgent notification—often sent via email or Messenger—warning the user of a "Copyright Violation" or an "Unauthorised Login Attempt." Users are pressured to click a link to "Secure Your Account."

Once clicked, the victim is taken to a site that looks legitimate, often hosted on trusted cloud platforms like Netlify or Vercel. A Facebook login prompt then appears. To the naked eye, it looks identical to a standard Meta OAuth window, complete with the padlock icon and the correct facebook.com URL in the address bar.

However, the "window" is a digital illusion. It is a fabricated UI element created using iframes. The moment a user enters their credentials, the data is transmitted directly to a hacker-controlled server in real-time.

Why Facebook is the Ultimate Prize

With over 3 billion active users, Facebook remains the most lucrative target for cybercriminals. Once an account is compromised, hackers use the victim’s established trust to:

Spread malicious links to friends and family.

Access linked business pages and ad accounts to drain credit cards.

Harvest personal data for identity theft on the dark web.

The “Drag Test”: How to Spot a Fake

Because these fake windows are part of the website’s code and not a separate browser instance, they have a physical limitation that real windows do not.

Trellix and security researchers suggest the "Drag Test": Try to click and drag the login pop-up window to the edge of your browser.

A Real Window: Will move independently and can be dragged completely outside the main browser window or onto a second monitor.

A BitB Fake: Will be "trapped" inside the browser. It will disappear or get cut off when you try to move it past the browser's border.

Defense Strategies for 2026

As phishing becomes indistinguishable from reality, security experts at Apensia Media recommend a "Zero-Trust" approach to login prompts:

Manual Entry: If you receive an account alert, never click the provided link. Manually type www.facebook.com into your browser.

Password Managers: High-quality password managers will not auto-fill credentials into a BitB window because they recognize it is not the actual Facebook domain.

Mandatory 2FA: Enable Two-Factor Authentication (2FA). Even if a hacker successfully "BitB’s" your password, they cannot bypass the physical security code sent to your device.

"Traditional visual checks are no longer enough," the Trellix report concludes. In the era of the 'Perfect Fake,' slowing down before you type is the only way to stay safe."