[noodlesUK]

I remember some big service many years ago (maybe yahoo?) had a “memorable image” or something that was associated with your username as some kind of anti phish metric. Of course nowadays that would be trivial to bypass with something like Modliskha or a different reverse proxy passing through the website content.

https://github.com/drk1wi/Modlishka

[raghava]

Yes. That's why a cluster of elements for a "secret identity theme", instead of just one image. (After all, infosec/security is finally just a game of making reward-to-effort ratio too impractical for most threat-actors & thus achieve reasonable 'sense of security', in a world where exploits exist for almost every ring in the stack - including ring 0)

I feel BITB mostly gets used by those who may not really be having access to lob a proxy attack at the intended target as well, which filters a good set, among potential victims.

[hapidjus]

Maybe I’m misunderstanding but what’s preventing you from passing on the cluster?

[raghava]

Didn't get your concern. I was saying that BITB actors typically won't be running a proxy within the network.

[noodlesUK]

I think the concern (if you ever see this comment) is that an attacker will for instance put the fake browser ui around an iframe to a proxy to the legitimate website content using a tool like Modlishka. In that case, whatever is presented to the user in the legitimate application (including whichever superheros or whatever are selected that time around) and all of the bogus images will be presented in the proxied version. Transparent proxies like that are very effective ways of doing phishing because you can phish 2fa or even SSO or similar info by just passing on a legitimate login page to the user but through your MITMed page.

[raghava]

Yes, I understand that BITB+MITM is a huge risk. But my point was that most who want to run BITB won't typically have the means to run an MITM along with it. (unless 'MITM within a browser' becomes a reality!)

I was trying to say that the dynamic security element helps in filtering at least the most common kind of attack, which otherwise leaves consumers to bear a very large risk.

[noodlesUK]

Perhaps this is the thing that I don’t understand. Why wouldn’t an attacker have such means? This attack isn’t something that requires control of the network, it’s just a fantastic way of producing a lookalike page.