Phishing remains the top cybersecurity threat to businesses. Phishing scams can be realistic and difficult for people to identify for the scams that they are. The sender field is often spoofed to make it appear that the emails have been sent by known individuals or trusted companies, the body of the messages often contains well-known branding, and templates are used for messages that are carbon copies of the genuine emails they impersonate.

The emails may contain malicious attachments if the aim is to install malware, and malicious hyperlinks if credential harvesting is the goal. The hyperlinks direct users to a website where they are asked to enter their credentials – a web page that is difficult to distinguish from the genuine web page being spoofed. As if those messages were not convincing enough, there is now a new Chrome phishing toolkit that makes credential theft even easier.

Most Internet users will be familiar with websites that use Single Sign-on popups to authenticate users. Rather than requiring website users to register an account, they can authenticate using an existing Google, Apple, or Facebook account. This way of logging in is popular, as users do not need to create and remember another set of login credentials. There is, however, a problem with this approach, and that is that single sign-on popups are easy to spoof in Chrome.

As previously mentioned, phishing scams can be convincing, but there are often red flags and the biggest flag is the URL of the website used for phishing. If you are expecting to sign in to Facebook for example, and you are directed to what is clearly not a Facebook-owned domain, the phishing scam can be easily identified.

The latest toolkit does not produce this red flag. The single sign-on popup generated on the webpage looks exactly the same as the genuine popup being spoofed, including the URL. If an individual is directed to one of these fake phishing forms, it is highly unlikely that they would be able to identify it as malicious and their credentials will be stolen.

A phishing email could be sent advising the recipient that a file has been shared with them, inviting them to log in to Dropbox for instance. The link is clicked, and the user will be directed to the website and will be presented with the login box which includes the address bar with the URL of the login form. For example, if you attempt to log in with your Google account, the URL will start with The phishing toolkit uses pre-made templates that are fake, but incredibly realistic. These Chrome popup windows allow a custom address URL and title to be displayed.

This toolkit was created by the security researcher dr. d0x, who made them available on GitHub. They allow any would-be hacker to quickly and easily create a highly convincing SSO pop-up window, which could be added to any website and be used for a browser-in-the-browser phishing attack. This attack method is nothing new, as fake SSO pop-up windows have been created in the past, but previous attempts have not been particularly convincing, as they do not exactly replicate the genuine pop-ups. The popups have previously been used on fake gaming websites to harvest credentials from the unwary. This kit is different as it is so convincing, and could easily be used to steal credentials and even 2FA codes.