Man-in-the-browser explained

Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse[1] that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software,[2] but a 2011 report concluded that additional measures on top of antivirus software were needed.[3]

A related, simpler attack is the boy-in-the-browser (BitB, BITB).

The majority of financial service professionals in a 2014 survey considered MitB to be the greatest threat to online banking.[4]

Description

The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds."[5] The name "man-in-the-browser" was coined by Philipp Gühring on 27 January 2007.

A MitB Trojan works by using common facilities provided to enhance browser capabilities such as Browser Helper Objects (a feature limited to Internet Explorer), browser extensions and user scripts (for example in JavaScript).[6] Antivirus software can detect some of these methods.

In a nutshell example exchange between user and host, such as an Internet banking funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.

Examples

Examples of MitB threats on different operating systems and web browsers:

Man-in-the-Browser examples ! Name !! Details!! Operating system!! Browser
Agent.DBJP[7] Windows IE, Firefox
Bugat[8] Windows IE, Firefox
Carberp targets Facebook users redeeming e-cash vouchers[9] Windows IE, Firefox
ChromeInject*[10] Greasemonkey impersonator Windows Firefox
Windows IE
Gozi Windows IE, Firefox
Nuklus[11] Windows IE
OddJob[12] keeps bank session open Windows IE, Firefox
Silentbanker[13] Windows IE, Firefox
Silon[14] Windows IE
SpyEye[15] successor of Zeus, widespread, low detection Windows IE, Firefox
Sunspot[16] widespread, low detection Windows IE, Firefox
Tatanga[17] Windows IE, Firefox, Chrome, Opera, Safari, Maxthon, Netscape, Konqueror
Tiny Banker Trojan[18] Smallest banking Trojan detected in wild at 20KB Windows IE, Firefox
TorpigWindows IE, Firefox
URLZone**** Windows IE, Firefox, Opera
Weyland-Yutani BOT[19] crimeware kit similar to Zeus, not widespread[20] Mac OS X Firefox
Yaludle Windows IE
Zeus widespread, low detection Windows IE, Firefox
Key WindowsWindowsWindows

other

Mac OS X

any

  • ChromeInject a.k.a. ChromeInject.A, ChromeInject.B, Banker.IVX, Inject.NBT, Bancos-BEX, Drop.Small.abw
    • Torpig a.k.a. Sinowal, Anserin
        • URLZone a.k.a. Bebloh
IK, Runner.82176, Monder, ANBR, Sipay.IU, Runner.fq, PWS.y!cy, Zbot.gen20, Runner.J, BredoPk-B, Runner.EQ

Protection

Antivirus

Known Trojans may be detected, blocked, and removed by antivirus software. In a 2009 study, the effectiveness of antivirus against Zeus was 23%, and again low success rates were reported in a separate test in 2011. The 2011 report concluded that additional measures on top of antivirus were needed.

Hardened software

Out-of-band transaction verification

A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example, an automated telephone call, SMS, or a dedicated mobile app with graphical cryptogram.[30] OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g. landline, mobile phone, etc.) and requires no additional hardware devices, yet enables three-factor authentication (using voice biometrics), transaction signing (to non-repudiation level), and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

Man-in-the-Mobile

Mobile phone mobile Trojan spyware man-in-the-mobile (MitMo)[31] can defeat OOB SMS transaction verification.

Web fraud detection

Web fraud detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions.[34] TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 126011017202752:error:1000012e:SSL routines:OPENSSL_internal:KEY_USAGE_BIT_INCORRECT:third_party/openssl/boringssl/src/ssl/ssl_cert.cc:431:

Related attacks

Proxy trojans

Keyloggers are the most primitive form of proxy trojans, followed by browser-session recorders that capture more data, and lastly MitBs are the most sophisticated type.

Man-in-the-middle

See main article: Man-in-the-middle. SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.

Boy-in-the-browser

A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.[35]

Clickjacking

See main article: Clickjacking. Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.

See also

External links

Notes and References

  1. Web site: The Evolution of Proxy Trojans. Noa. Bar-Yosef. 2010-12-30. 2012-02-03.
  2. Web site: Threat Description: Trojan-Spy:W32/Nuklus.A. F-Secure. 2007-02-11. 2012-02-03.
  3. Web site: Web Browsers: Your Weak Link in Achieving PCI Compliance. Quarri Technologies, Inc. 2011. 2012-02-05.
  4. Fernandes. Diogo A. B.. Soares. Liliana F. B.. Gomes. João V.. Freire. Mário M.. Inácio. Pedro R. M.. 2014-04-01. Security issues in cloud environments: a survey. International Journal of Information Security. en. 13. 2. 113–170. 10.1007/s10207-013-0208-7. 3330144 . 1615-5270. subscription.
  5. Web site: O futuro dos backdoors - o pior dos mundos . Congresso Nacional de Auditoria de Sistemas, Segurança da Informação e Governança - CNASI . Sao Paulo, Brazil . pt . Paes de Barros . Augusto . 15 September 2005 . 2009-06-12 . dead . https://web.archive.org/web/20110706153819/http://www.paesdebarros.com.br/backdoors.pdf . July 6, 2011 .
  6. Web site: Concepts against Man-in-the-Browser Attacks. Gühring. Philipp. 27 January 2007. 2008-07-30.
  7. Web site: Trojan Writers Target UK Banks With Botnets. Dunn. John E. 2010-07-03. 2012-02-08.
  8. Web site: Zeus not the only bank Trojan threat, users warned. Dunn. John E. 2010-10-12. 2012-02-03.
  9. Web site: Facebook users targeted in Carberp man-in-the-browser attack. Curtis. Sophie. 2012-01-18. 2012-02-03.
  10. Web site: Trojan.PWS.ChromeInject.B Removal Tool. Marusceac Claudiu Florin. 2008-11-28. 2012-02-05.
  11. Web site: Review of Browser Extensions, a Man-in-theBrowser Phishing Techniques Targeting Bank Customers. Nattakant Utakrit, School of Computer and Security Science, Edith Cowan University. 2011-02-25. 2012-02-03.
  12. Web site: Crafty OddJob malware leaves online bank accounts open to plunder. Ted Samson. 2011-02-22. 2012-02-06.
  13. Web site: Banking with Confidence. Symantec Marc Fossi. 2008-01-23. 2008-07-30.
  14. Web site: Trusteer Rapport. Trusteer. 2012-02-03.
  15. Web site: Man-in-the-Browser attacks target the enterprise. CEO of Trusteer Mickey Boodaei. 2011-03-31. 2012-02-03. https://web.archive.org/web/20111208035515/http://www.networkworld.com/news/tech/2011/033111-mitb-attacks-enterprise.html. 2011-12-08. dead.
  16. Web site: Explosive financial malware targets Windows. www.net-security.org. 2011-05-11. 2012-02-06.
  17. Web site: Tatanga: a new banking trojan with MitB functions. Jozsef Gegeny . Jose Miguel Esparza . 2011-02-25. 2012-02-03.
  18. Web site: Tiny 'Tinba' Banking Trojan Is Big Trouble. msnbc.com. 31 May 2012. 2016-02-28.
  19. Web site: The Mac OS X Virus That Wasn't. Wayne. Borean. 2011-05-24. 2012-02-08.
  20. Web site: Crimeware Kit Emerges for Mac OS X . Dennis . Fisher . 2011-05-02 . 2012-02-03 . dead . https://web.archive.org/web/20110905204103/http://threatpost.com/en_us/blogs/crimeware-kit-emerges-mac-os-x-050211 . September 5, 2011 .
  21. Web site: ZeuS-style banking Trojans seen as greatest threat to online banking: Survey. Symantec Marc Fossi. 2010-12-08. 2012-02-03. https://web.archive.org/web/20110808104349/http://www.networkworld.com/news/2010/120810-trojan-bank.html. 2011-08-08. dead.
  22. Web site: Threat DescriptionTrojan-Spy:W32/Zbot. F-secure. 2012-02-05.
  23. Web site: Trojan.Wsnpoem Technical Details. https://web.archive.org/web/20100223094813/http://www.symantec.com/security_response/writeup.jsp?docid=2008-072400-0415-99&tabid=2. dead. February 23, 2010. Symantec. Hyun Choi . Sean Kiernan . 2008-07-24. 2012-02-05.
  24. Web site: Encyclopedia entry: Win32/Zbot - Learn more about malware - Microsoft Malware Protection Center. Symantec. Microsoft. 2010-04-30. 2012-02-05.
  25. Web site: Measuring the in-the-wild effectiveness of Antivirus against Zeus . Trusteer . 2009-09-14 . 2012-02-05 . dead . https://web.archive.org/web/20111106105546/http://www.trusteer.com/files/Zeus_and_Antivirus.pdf . November 6, 2011 .
  26. Web site: Antisource - ZeuS . Richard S. Westmoreland . 2010-10-20 . 2012-02-05 . dead . https://web.archive.org/web/20120120004836/http://www.antisource.com/article.php/zeus-botnet-summary . 2012-01-20 .
  27. Web site: Online banking: what the BBC missed and a safety suggestion. Michael. Horowitz. 2012-02-06. 2012-02-08.
  28. Web site: Use a Linux Live CD/USB for Online Banking. Kevin. Purdy. 2009-10-14. 2012-02-04.
  29. Book: Konoth. Radhesh Krishnan. van der Veen. Victor. Bos. Herbert. Financial Cryptography and Data Security . How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication . 2017. Grossklags. Jens. Preneel. Bart. https://link.springer.com/chapter/10.1007/978-3-662-54970-4_24. Lecture Notes in Computer Science. 9603 . en. Berlin, Heidelberg. Springer. 405–421. 10.1007/978-3-662-54970-4_24. 978-3-662-54970-4.
  30. Web site: Commerzbank to deploy Cronto mobile phone-based authentication technology. Finextra Research. 2008-11-13. 2012-02-08.
  31. Web site: 'Man In The Mobile' Attacks Highlight Weaknesses In Out-Of-Band Authentication. Ericka. Chickowski. 2010-10-05. 2012-02-09. 2012-03-01. https://web.archive.org/web/20120301203206/http://www.darkreading.com/authentication/167901072/security/application-security/227700141/man-in-the-mobile-attacks-highlight-weaknesses-in-out-of-band-authentication.html. dead.
  32. Web site: Zeus Banking Trojan Hits Android Phones. Mathew J.. Schwartz. 2011-07-13. 2012-02-04. 2012-07-06. https://web.archive.org/web/20120706044256/http://www.informationweek.com/news/security/mobile/231001685. dead.
  33. Web site: Internet Banking & Mobile Banking users beware – ZITMO & SPITMO is here !!. Mahesh. Balan. 2009-10-14. 2012-02-05.
  34. Web site: How to protect online transactions with multi-factor authentication. Julie. Sartain. 2012-02-07. 2012-02-08.
  35. Web site: Threat Advisory Boy in the Browser. Imperva. 2010-02-14. 2015-03-12.