Threat actors are leveraging the browser-in-the-browser (BitB) phishing technique to steal Facebook login credentials, according to security researchers at Trellix.
Developed in 2022 by security researcher known as “mr.d0x,” the BitB method has since been widely adopted by cybercriminals targeting popular online platforms, including Facebook and Steam.
Trellix researchers report that stolen Facebook accounts are used to spread scams, harvest personal data, and commit identity fraud.
“In the second half of 2025, Trellix observed a surge in Facebook phishing scams employing a variety of tactics and techniques, most notably the "Browser in the Browser" (BitB) technique. This advanced method tricks users by simulating a legitimate third-party login pop-up window (like a Facebook authentication screen) within the browser tab, effectively masking a credential-harvesting page,” Trellix said.
In a BitB attack, victims are lured to attacker-controlled websites where they are presented with a convincing fake browser pop-up containing a login form. The pop-up is created using an iframe disguised as legitimate authentication windows with realistic URLs and window titles that make detection difficult.
Recent campaigns targeting Facebook users have impersonated law firms alleging copyright infringement, Meta security alerts warning of unauthorized logins, or notices threatening account suspension.
“The threat of Facebook phishing is escalating and becoming highly sophisticated, moving far beyond easily recognizable malicious links,” the report notes. “Attackers are successfully exploiting the platform's massive user base by employing advanced social engineering and technical evasion tactics. The key shift lies in the abuse of trusted infrastructure, utilizing legitimate cloud hosting services like Netlify and Vercel, and URL shorteners to bypass traditional security filters and lend a false sense of security to phishing pages. Most critically, the emergence of the Browser-in-the-Browser (BitB) technique represents a major escalation. By creating a custom-built, fake login pop-up window within the victim's browser, this method capitalizes on user familiarity with authentication flows, making credential theft nearly impossible to detect visually.”