Man-in-the-browser

Last updated

Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse [1] that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software, [2] but a 2011 report concluded that additional measures on top of antivirus software were needed. [3] [ needs update ]

Contents

A related, simpler attack is the boy-in-the-browser (BitB, BITB).

The majority of financial service professionals in a 2014 survey considered MitB to be the greatest threat to online banking. [4]

Description

The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds." [5] The name "man-in-the-browser" was coined by Philipp Gühring on 27 January 2007. [6]

A MitB Trojan works by using common facilities provided to enhance browser capabilities such as Browser Helper Objects (a feature limited to Internet Explorer), browser extensions and user scripts (for example in JavaScript). [6] Antivirus software can detect some of these methods. [2]

In a nutshell example exchange between user and host, such as an Internet banking funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.

Examples

Examples of MitB threats on different operating systems and web browsers:

Man-in-the-Browser examples
NameDetails Operating system Browser
Agent.DBJP [7] WindowsIE, Firefox
Bugat [8] WindowsIE, Firefox
Carberptargets Facebook users redeeming e-cash vouchers [9] WindowsIE, Firefox
ChromeInject* [10] Greasemonkey impersonator [11] WindowsFirefox
Clampi [12] WindowsIE
Gozi [1] WindowsIE, Firefox
Nuklus [2] [11] WindowsIE
OddJob [13] keeps bank session openWindowsIE, Firefox
Silentbanker [14] WindowsIE, Firefox
Silon [15] WindowsIE
SpyEye [16] successor of Zeus, widespread, low detectionWindowsIE, Firefox
Sunspot [17] widespread, low detectionWindowsIE, Firefox
Tatanga [18] WindowsIE, Firefox, Chrome, Opera, Safari, Maxthon, Netscape, Konqueror
Tiny Banker Trojan [19] Smallest banking Trojan detected in wild at 20KBWindowsIE, Firefox
Torpig** [15] WindowsIE, Firefox
URLZone**** [1] WindowsIE, Firefox, Opera
Weyland-Yutani BOT [20] crimeware kit similar to Zeus, not widespread [20] [21] Mac OS XFirefox
Yaludle [15] WindowsIE
Zeus*** [12] widespread, low detectionWindowsIE, Firefox
Key Windows: IE Windows: IE & Firefox or Firefox Windows: other Mac OS X: any
*ChromeInject a.k.a. ChromeInject.A, ChromeInject.B, Banker.IVX, Inject.NBT, Bancos-BEX, Drop.Small.abw [10]
**Torpig a.k.a. Sinowal, Anserin [1]
***Zeus a.k.a. ZeuS, Zbot, [22] Wsnpoem, [23] [24] NTOS, [25] PRG, [25] Kneber, [26] Gorhax [26]
****URLZone a.k.a. Bebloh!IK, Runner.82176, Monder, ANBR, Sipay.IU, Runner.fq, PWS.y!cy, Zbot.gen20, Runner.J, BredoPk-B, Runner.EQ

Protection

Antivirus

Known Trojans may be detected, blocked, and removed by antivirus software. [2] In a 2009 study, the effectiveness of antivirus against Zeus was 23%, [25] and again low success rates were reported in a separate test in 2011. [3] The 2011 report concluded that additional measures on top of antivirus were needed. [3]

Hardened software

Out-of-band transaction verification

A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example, an automated telephone call, SMS, or a dedicated mobile app with graphical cryptogram. [30] OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g. landline, mobile phone, etc.) and requires no additional hardware devices, yet enables three-factor authentication (using voice biometrics), transaction signing (to non-repudiation level), and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

Man-in-the-Mobile

Mobile phone mobile Trojan spyware man-in-the-mobile (MitMo) [31] can defeat OOB SMS transaction verification. [32]

  • ZitMo (Zeus-In-The-Mobile) is not a MitB Trojan itself (although it performs a similar proxy function on the incoming SMSes), but is mobile malware suggested for installation on a mobile phone by a Zeus-infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on Windows Mobile, Android, Symbian, and BlackBerry. [32] ZitMo may be detected by Antivirus running on the mobile device.
  • SpitMo (SpyEye-In-The-Mobile, SPITMO) is similar to ZitMo. [33]

Web fraud detection

Web fraud detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions. [34] TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 126011017202752:error:1000012e:SSL routines:OPENSSL_internal:KEY_USAGE_BIT_INCORRECT:third_party/openssl/boringssl/src/ssl/ssl_cert.cc:431:

Proxy trojans

Keyloggers are the most primitive form of proxy trojans, followed by browser-session recorders that capture more data, and lastly MitBs are the most sophisticated type. [1]

Man-in-the-middle

SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.

Boy-in-the-browser

A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult. [35]

Clickjacking

Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

A dropper is a Trojan horse that has been designed to install malware onto a computer. The malware within the dropper can be packaged to evade detection by antivirus software. Alternatively, the dropper may download malware to the target computer once activated.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey. Under the brand Sectigo, the company acts as a web Certificate authority (CA) and issues SSL/TLS certificates.

Crimeware is a class of malware designed specifically to automate cybercrime.

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more effective than keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste. It can then sort the information based on its variable names, such as email, account name, and password. Additionally, the form grabber will log the URL and title of the website the data was gathered from.

Clampi is a strain of computer malware which infects Windows computers. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows operating system.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Trusteer is a Boston-based computer security division of IBM, responsible for a suite of security software. Founded by Mickey Boodaei and Rakesh K. Loonkar, in Israel in 2006, Trusteer was acquired in September 2013 by IBM for $1 billion.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

SpyEye is a malware program that attacks users running Google Chrome, Safari, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account

ZeuS Panda, Panda Banker, or Panda is a variant of the original Zeus under the banking Trojan category. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and loaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected pages. Stealth capabilities make not only detecting but analyzing the malware difficult.

References

  1. 1 2 3 4 5 Bar-Yosef, Noa (2010-12-30). "The Evolution of Proxy Trojans" . Retrieved 2012-02-03.
  2. 1 2 3 4 F-Secure (2007-02-11). "Threat Description: Trojan-Spy:W32/Nuklus.A" . Retrieved 2012-02-03.
  3. 1 2 3 Quarri Technologies, Inc (2011). "Web Browsers: Your Weak Link in Achieving PCI Compliance" (PDF). Retrieved 2012-02-05.
  4. Fernandes, Diogo A. B.; Soares, Liliana F. B.; Gomes, João V.; Freire, Mário M.; Inácio, Pedro R. M. (2014-04-01). "Security issues in cloud environments: a survey" . International Journal of Information Security. 13 (2): 113–170. doi:10.1007/s10207-013-0208-7. ISSN   1615-5270. S2CID   3330144.
  5. Paes de Barros, Augusto (15 September 2005). "O futuro dos backdoors - o pior dos mundos" (PDF) (in Portuguese). Sao Paulo, Brazil: Congresso Nacional de Auditoria de Sistemas, Segurança da Informação e Governança - CNASI. Archived from the original (PDF) on July 6, 2011. Retrieved 2009-06-12.
  6. 1 2 Gühring, Philipp (27 January 2007). "Concepts against Man-in-the-Browser Attacks" (PDF). Retrieved 2008-07-30.
  7. Dunn, John E (2010-07-03). "Trojan Writers Target UK Banks With Botnets" . Retrieved 2012-02-08.
  8. Dunn, John E (2010-10-12). "Zeus not the only bank Trojan threat, users warned" . Retrieved 2012-02-03.
  9. Curtis, Sophie (2012-01-18). "Facebook users targeted in Carberp man-in-the-browser attack" . Retrieved 2012-02-03.
  10. 1 2 Marusceac Claudiu Florin (2008-11-28). "Trojan.PWS.ChromeInject.B Removal Tool" . Retrieved 2012-02-05.
  11. 1 2 3 Nattakant Utakrit, School of Computer and Security Science, Edith Cowan University (2011-02-25). "Review of Browser Extensions, a Man-in-theBrowser Phishing Techniques Targeting Bank Customers" . Retrieved 2012-02-03.{{cite web}}: CS1 maint: multiple names: authors list (link)
  12. 1 2 3 Symantec Marc Fossi (2010-12-08). "ZeuS-style banking Trojans seen as greatest threat to online banking: Survey". Archived from the original on 2011-08-08. Retrieved 2012-02-03.
  13. Ted Samson (2011-02-22). "Crafty OddJob malware leaves online bank accounts open to plunder" . Retrieved 2012-02-06.
  14. Symantec Marc Fossi (2008-01-23). "Banking with Confidence" . Retrieved 2008-07-30.
  15. 1 2 3 4 Trusteer. "Trusteer Rapport" . Retrieved 2012-02-03.
  16. CEO of Trusteer Mickey Boodaei (2011-03-31). "Man-in-the-Browser attacks target the enterprise". Archived from the original on 2011-12-08. Retrieved 2012-02-03.
  17. www.net-security.org (2011-05-11). "Explosive financial malware targets Windows" . Retrieved 2012-02-06.
  18. Jozsef Gegeny; Jose Miguel Esparza (2011-02-25). "Tatanga: a new banking trojan with MitB functions" . Retrieved 2012-02-03.
  19. "Tiny 'Tinba' Banking Trojan Is Big Trouble". msnbc.com. 31 May 2012. Retrieved 2016-02-28.
  20. 1 2 Borean, Wayne (2011-05-24). "The Mac OS X Virus That Wasn't" . Retrieved 2012-02-08.
  21. Fisher, Dennis (2011-05-02). "Crimeware Kit Emerges for Mac OS X". Archived from the original on September 5, 2011. Retrieved 2012-02-03.
  22. F-secure. "Threat DescriptionTrojan-Spy:W32/Zbot" . Retrieved 2012-02-05.
  23. Hyun Choi; Sean Kiernan (2008-07-24). "Trojan.Wsnpoem Technical Details". Symantec. Archived from the original on February 23, 2010. Retrieved 2012-02-05.
  24. Microsoft (2010-04-30). "Encyclopedia entry: Win32/Zbot - Learn more about malware - Microsoft Malware Protection Center". Symantec. Retrieved 2012-02-05.
  25. 1 2 3 Trusteer (2009-09-14). "Measuring the in-the-wild effectiveness of Antivirus against Zeus" (PDF). Archived from the original (PDF) on November 6, 2011. Retrieved 2012-02-05.
  26. 1 2 Richard S. Westmoreland (2010-10-20). "Antisource - ZeuS". Archived from the original on 2012-01-20. Retrieved 2012-02-05.
  27. Horowitz, Michael (2012-02-06). "Online banking: what the BBC missed and a safety suggestion" . Retrieved 2012-02-08.
  28. Purdy, Kevin (2009-10-14). "Use a Linux Live CD/USB for Online Banking" . Retrieved 2012-02-04.
  29. Konoth, Radhesh Krishnan; van der Veen, Victor; Bos, Herbert (2017). "How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication". In Grossklags, Jens; Preneel, Bart (eds.). Financial Cryptography and Data Security. Lecture Notes in Computer Science. Vol. 9603. Berlin, Heidelberg: Springer. pp. 405–421. doi:10.1007/978-3-662-54970-4_24. ISBN   978-3-662-54970-4.
  30. Finextra Research (2008-11-13). "Commerzbank to deploy Cronto mobile phone-based authentication technology" . Retrieved 2012-02-08.
  31. Chickowski, Ericka (2010-10-05). "'Man In The Mobile' Attacks Highlight Weaknesses In Out-Of-Band Authentication". Archived from the original on 2012-03-01. Retrieved 2012-02-09.
  32. 1 2 Schwartz, Mathew J. (2011-07-13). "Zeus Banking Trojan Hits Android Phones". Archived from the original on 2012-07-06. Retrieved 2012-02-04.
  33. Balan, Mahesh (2009-10-14). "Internet Banking & Mobile Banking users beware – ZITMO & SPITMO is here !!" . Retrieved 2012-02-05.
  34. Sartain, Julie (2012-02-07). "How to protect online transactions with multi-factor authentication" . Retrieved 2012-02-08.
  35. Imperva (2010-02-14). "Threat Advisory Boy in the Browser" . Retrieved 2015-03-12.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.