Attackers are using fake in-browser login windows to capture Facebook credentials at scale.
Security researchers have observed an increase in Facebook phishing campaigns that rely on a technique known as Browser-in-the-Browser, where attackers display a convincing fake login window inside a legitimate browser session. According to reporting by Cyber Press, the campaigns increased during the second half of 2025 and primarily targeted users through phishing emails that redirected victims to fake Meta pages before presenting a fraudulent Facebook sign-in prompt.
The Browser-in-the-Browser technique works by rendering a realistic login pop-up within the webpage itself rather than opening a separate browser window. The fake prompt includes a forged address bar that appears to show Facebook’s official domain, which makes detection difficult, especially on mobile devices. Attackers often begin with emails posing as legal notices or copyright complaints and route victims through shortened URLs and fake captcha pages. Researchers also found that phishing infrastructure was hosted on legitimate cloud platforms such as Netlify and Vercel, allowing attackers to blend in with trusted services while collecting personal details before requesting account passwords.
Analysts warned that the use of trusted cloud hosting and URL shorteners increases the likelihood that phishing pages bypass basic filtering tools. They noted that these campaigns rely heavily on social engineering themes, including account suspension alerts, unusual login warnings, and security verification requests. Researchers advised users to avoid entering credentials through pop-up windows and to verify account alerts by going directly to Facebook through a new browser tab rather than following embedded links.
According to Help Net Security, browser-in-the-browser (BitB) phishing depends almost entirely on stolen usernames and passwords, which makes the technique far less effective when passkeys or WebAuthn authentication are enforced. While not a complete fix, phishing-resistant authentication can “effectively neutralize BitB attacks that depend on fake login windows.” The problem is that password-based logins remain widespread, and building BitB phishing pages has become easier as phishing-as-a-service platforms add the capability by default.
Researchers warned that the trend is spreading beyond a single tool. “There is evidence that Sneaky2FA’s shift to BiTB might not be an isolated change,” researchers said, noting that RaccoonO365 has also begun using BitB techniques after announcing a new “BITB mini-panel” as part of a service update. The move suggests BitB phishing is becoming a standard feature across commercial phishing kits rather than an experimental tactic.
The fake login window appears inside the browser and includes a realistic address bar, which gives the impression that the user is interacting with a trusted site.
Facebook accounts are widely used for personal communication, advertising, and business access, which makes stolen credentials valuable for fraud and further attacks.
Attackers host phishing pages on well-known cloud services, which helps them avoid suspicion and bypass some security controls.
It reduces risk but does not eliminate it. Stolen credentials can still be used for phishing, impersonation, or attempts to bypass additional protections.
They should avoid logging in through pop-ups, inspect URLs carefully, ignore unexpected account warnings, and access Facebook directly through a bookmarked address.