If you’re still using Facebook, then I assume you’re old enough to remember watching John Wayne movies in the theater. Nevertheless, it remains a pretty juicy target for hackers and digital thieves. They’re using a technique that you should be aware of, even if your only interaction with the slop-ridden hellscape of Facebook is through your relatives: browser-in-the-browser attacks. A browser-in-the-browser attack (often shortened to BITB) is an old idea, but given a new twist. You get a fake page that impersonates a real page — nothing new, right? As long as you can see that you’re at the correct URL in the browser (checking carefully for look-alikes, such as “faceloook.com”), you’re safe. A BITB attack creates both the fake page and fake browser elements around the page, including a legit-looking address in the URL bar. It’s simple, it’s sneaky, it’s effective. Security vendor Trellix released a new report that indicates these browser-in-the-browser attacks are on the rise, specifically targeting Facebook users. The hook comes from the usual places, spam email or texts that claim something is wrong with the account or there’s another security issue, but following the fake (but legit-seeming) URL leads you to a custom page with the BITB rendering trick. Adding in a Captcha step can throw users off their guard, and then a fake login page is all that’s needed to nab a username and password. Facebook is such a tempting target because of its massive amount of users, over two billion active daily according to some metrics. And many of them are, ahem, somewhat less than tech-savvy. So not only are they more likely to follow a link in a phishing email and be bamboozled by a browser-in-the-browser trick, they’re probably more likely to reuse login passwords as well. That would make a successful phishing attack, targeting identity theft material even more dangerous. As Bleeping Computer notes , you can spot a browser-in-the-browser attack by trying to interact with the internal fake browser. If you can’t click and drag the title bar, that’s an easy giveaway. And as always, logging in via a separate window, browser, or device instead of following a link is a great way to quickly test the veracity of an alarming email.