Man-in-the-browser

Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse^[1] that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are in place. A MitB attack may be countered by utilising out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software^[2] with a 23% success rate against Zeus in 2009,^[3] and still low rates in 2011.^[4] The 2011 report concluded that additional measures on top of antivirus were needed.^[4] A related, more simple attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking.

Description

The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds".^[5] The name "Man-in-the-Browser" was coined by Philipp Gühring on 27 January 2007.^[6]

A MitB Trojan works by utilising common facilities provided to enhance browser capabilities such as Browser Helper Objects (a feature limited to Internet Explorer), browser extensions and user scripts (for example in JavaScript) etc.^[6] Antivirus software can detect some of these methods.^[2]

In a nutshell example exchange between user and host, such as an Internet banking funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.

Examples

Examples of MitB threats on different operating systems and web browsers:

Man-in-the-Browser examples
Name	Details	Operating system	Browser
Agent.DBJP^[7]		Windows	IE, Firefox
Bugat^[8]		Windows	IE, Firefox
Carberp	targets Facebook users redeeming e-cash vouchers^[9]	Windows	IE, Firefox
ChromeInject*^[10]	Greasemonkey impersonator^[11]	Windows	Firefox
Clampi^[12]		Windows	IE
Gozi^[1]		Windows	IE, Firefox
Nuklus^[2]^[11]		Windows	IE
OddJob^[13]	keeps bank session open	Windows	IE, Firefox
Silentbanker^[14]		Windows	IE, Firefox
Silon^[15]		Windows	IE
SpyEye^[16]	successor of Zeus, widespread, low detection	Windows	IE, Firefox
Sunspot^[17]	widespread, low detection	Windows	IE, Firefox
Tatanga^[18]		Windows	IE, Firefox, Chrome, Opera, Safari, Maxthon, Netscape, Konqueror
Tiny Banker Trojan^[19]	Smallest banking Trojan detected in wild at 20KB	Windows	IE, Firefox
Torpig**^[15]		Windows	IE, Firefox
URLZone****^[1]		Windows	IE, Firefox, Opera
Weyland-Yutani BOT^[20]	crimeware kit similar to Zeus, not widespread^[20]^[21]	Mac OS X	Firefox
Yaludle^[15]		Windows	IE
Zeus***^[12]	widespread, low detection	Windows	IE, Firefox

Key	Windows: IE	Windows: IE & Firefox or Firefox	Windows: other	Mac OS X: any
*ChromeInject aka ChromeInject.A, ChromeInject.B, Banker.IVX, Inject.NBT, Bancos-BEX, Drop.Small.abw^[10]
**Torpig aka Sinowal, Anserin^[1]
***Zeus aka ZeuS, Zbot,^[22] Wsnpoem,^[23]^[24] NTOS,^[3] PRG,^[3] Kneber,^[25] Gorhax^[25]
****URLZone aka Bebloh!IK, Runner.82176, Monder, ANBR, Sipay.IU, Runner.fq, PWS.y!cy, Zbot.gen20, Runner.J, BredoPk-B, Runner.EQ

Protection

Antivirus

Known Trojans may be detected, blocked and removed by antivirus software.^[2] In a 2009 study, the effectiveness of antivirus against Zeus was 23%,^[3] and again low success rates were reported in a separate test in 2011.^[4] The 2011 report concluded that additional measures on top of antivirus were needed.^[4]

Hardened software

Browser security software: MitB attacks may be blocked by in-browser security software such as Trusteer Rapport for Microsoft Windows and Mac OS X which blocks the APIs from browser extensions and controls communication.^[11]^[12]^[15]
Alternative software: Reducing or eliminating the risk of malware infection by using portable applications or using alternatives to Microsoft Windows like Mac OS X, Linux, or mobile OSes Android, iOS, Chrome OS, Windows Mobile, Symbian etc., and/or browsers Chrome, Opera.^[26] Further protection can be achieved by running this alternative OS, like Linux, from a non-installed live CD, or Live USB.^[27]
Secure Web Browser: Several vendors can now provide a two-factor security solution where a Secure Web Browser is part of the solution. In this case MitB attacks are avoided as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine.

Out-of-band transaction verification

A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example an automated telephone call, SMS, or a dedicated mobile app with graphical cryptogram.^[28] OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g. landline, mobile phone, etc.) and requires no additional hardware devices yet enables three-factor authentication (utilising voice biometrics), transaction signing (to non-repudiation level) and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

Man-in-the-Mobile

Mobile phone mobile Trojan spyware man-in-the-mobile (MitMo)^[29] can defeat OOB SMS transaction verification.^[30]

ZitMo (Zeus-In-The-Mobile) is not a MitB Trojan itself (although it performs a similar proxy function on the incoming SMSes), but is mobile malware suggested for installation on a mobile phone by a Zeus infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on Windows Mobile, Android, Symbian, BlackBerry.^[30] ZitMo may be detected by Antivirus running on the mobile device.
SpitMo (SpyEye-In-The-Mobile, SPITMO), is similar to ZitMo.^[31]

Web fraud detection

Web Fraud Detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions.^[32]

Related attacks

Proxy trojans

Keyloggers are the most primitive form of proxy trojans, followed by browser-session recorders which capture more data, and lastly MitBs are the most sophisticated type.^[1]

Man-in-the-middle

Main article: Man-in-the-middle

SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.

Boy-in-the-browser

A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.^[33]

Clickjacking

Main article: Clickjacking

Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.

References

1 2 3 4 5 Bar-Yosef, Noa (2010-12-30). "The Evolution of Proxy Trojans". Retrieved 2012-02-03.
1 2 3 4 F-Secure (2007-02-11). "Threat Description: Trojan-Spy:W32/Nuklus.A". Retrieved 2012-02-03.
1 2 3 4 Trusteer (2009-09-14). "Measuring the in-the-wild effectiveness of Antivirus against Zeus" (PDF). Archived from the original (PDF) on November 6, 2011. Retrieved 2012-02-05.
1 2 3 4 Quarri Technologies, Inc (2011). "Web Browsers: Your Weak Link in Achieving PCI Compliance" (PDF). Retrieved 2012-02-05.
↑ Paes de Barros, Augusto (15 September 2005). "O futuro dos backdoors - o pior dos mundos" (PDF) (in Portuguese). Sao Paulo, Brazil: Congresso Nacional de Auditoria de Sistemas, Segurança da Informação e Governança - CNASI. Archived from the original (PDF) on July 6, 2011. Retrieved 2009-06-12.
1 2 Gühring, Philipp (27 January 2007). "Concepts against Man-in-the-Browser Attacks" (PDF). Retrieved 2008-07-30.
↑ Dunn, John E (2010-07-03). "Trojan Writers Target UK Banks With Botnets". Retrieved 2012-02-08.
↑ Dunn, John E (2010-10-12). "Zeus not the only bank Trojan threat, users warned". Retrieved 2012-02-03.
↑ Curtis, Sophie (2012-01-18). "Facebook users targeted in Carberp man-in-the-browser attack". Retrieved 2012-02-03.
1 2 Marusceac Claudiu Florin (2008-11-28). "Trojan.PWS.ChromeInject.B Removal Tool". Retrieved 2012-02-05.
1 2 3 Nattakant Utakrit, School of Computer and Security Science, Edith Cowan University (2011-02-25). "Review of Browser Extensions, a Man-in-theBrowser Phishing Techniques Targeting Bank Customers". Retrieved 2012-02-03.
1 2 3 Symantec Marc Fossi (2010-12-08). "ZeuS-style banking Trojans seen as greatest threat to online banking: Survey". Retrieved 2012-02-03.
↑ Ted Samson (2011-02-22). "Crafty OddJob malware leaves online bank accounts open to plunder". Retrieved 2012-02-06.
↑ Symantec Marc Fossi (2008-01-23). "Banking with Confidence". Retrieved 2008-07-30.
1 2 3 4 Trusteer. "Trusteer Rapport". Retrieved 2012-02-03.
↑ CEO of Trusteer Mickey Boodaei (2011-03-31). "Man-in-the-Browser attacks target the enterprise". Retrieved 2012-02-03.
↑ www.net-security.org (2011-05-11). "Explosive financial malware targets Windows". Retrieved 2012-02-06.
↑ Jozsef Gegeny; Jose Miguel Esparza (2011-02-25). "Tatanga: a new banking trojan with MitB functions". Retrieved 2012-02-03.
↑ "Tiny 'Tinba' Banking Trojan Is Big Trouble". msnbc.com. Retrieved 2016-02-28.
1 2 Borean, Wayne (2011-05-24). "The Mac OS X Virus That Wasn't". Retrieved 2012-02-08.
↑ Fisher, Dennis (2011-05-02). "Crimeware Kit Emerges for Mac OS X". Archived from the original on September 5, 2011. Retrieved 2012-02-03.
↑ F-secure. "Threat DescriptionTrojan-Spy:W32/Zbot". Retrieved 2012-02-05.
↑ Hyun Choi; Sean Kiernan (2008-07-24). "Trojan.Wsnpoem Technical Details". Symantec. Retrieved 2012-02-05.
↑ Microsoft (2010-04-30). "Encyclopedia entry: Win32/Zbot - Learn more about malware - Microsoft Malware Protection Center". Symantec. Retrieved 2012-02-05.
1 2 Richard S. Westmoreland (2010-10-20). "Antisource - ZeuS". Retrieved 2012-02-05.
↑ Horowitz, Michael (2012-02-06). "Online banking: what the BBC missed and a safety suggestion". Retrieved 2012-02-08.
↑ Purdy, Kevin (2009-10-14). "Use a Linux Live CD/USB for Online Banking". Retrieved 2012-02-04.
↑ Finextra Research (2008-11-13). "Commerzbank to deploy Cronto mobile phone-based authentication technology". Retrieved 2012-02-08.
↑ Chickowski, Ericka (2010-10-05). "'Man In The Mobile' Attacks Highlight Weaknesses In Out-Of-Band Authentication". Retrieved 2012-02-09.
1 2 Schwartz, Mathew J. (2011-07-13). "Zeus Banking Trojan Hits Android Phones". Retrieved 2012-02-04.
↑ Balan, Mahesh (2009-10-14). "Internet Banking & Mobile Banking users beware – ZITMO & SPITMO is here !!". Retrieved 2012-02-05.
↑ Sartain, Julie (2012-02-07). "How to protect online transactions with multi-factor authentication". Retrieved 2012-02-08.
↑ Imperva (2010-02-14). "Threat Advisory Boy in the Browser". Retrieved 2015-03-12.

External links

Virus attack on HSBC Transactions with OTP Device
Virus attack on ICICI Bank Transactions
Virus attack on Citibank Transactions
Hackers outwit online banking identity security systems BBC Click
Antisource - ZeuS A summary of ZeuS as a Trojan and Botnet, plus vector of attacks
Man-In-The-Browser Video on YouTube Entrust President and CEO Bill Conner
Zeus: King of crimeware toolkits Video on YouTube The Zeus toolkit, Symantec Security Response
How safe is online banking? Audio BBC Click
Boy-in-the-Browser Cyber Attack Video on YouTube Imperva

Malware topics

Infectious malware	Computer virus Comparison of computer viruses Computer worm List of computer worms Timeline of computer viruses and worms

Concealment	Trojan horse Rootkit Backdoor Zombie computer Man-in-the-middle Man-in-the-browser Man-in-the-mobile Clickjacking

Malware for profit	Privacy-invasive software Adware Spyware Botnet Keystroke logging Form grabbing Web threats Fraudulent dialer Malbot Scareware Rogue security software Ransomware

By operating system	Linux malware Palm OS viruses Mobile malware Macro virus Macintosh (old) viruses Mac OS X malware iOS malware Android malware

Protection	Anti-keylogger Antivirus software Browser security Internet security Mobile security Network security Defensive computing Firewall Intrusion detection system Data loss prevention software

Countermeasures	Computer and network surveillance Operation: Bot Roast Honeypot Anti-Spyware Coalition

Botnets

Notable botnets	Akbot Asprox Bagle Bredolab Cutwail Conficker Donbot Festi Grum Gumblar Kelihos Koobface Kraken Lethic Mariposa Mega-D Mirai Metulji Nitol Rustock Sality Slenfbot Srizbi Storm TDL-4 Torpig Virut Waledac ZeroAccess Zeus

Main articles	Browser security Computer virus Computer worm Malbot Internet security Malware Man-in-the-browser Network security Operation: Bot Roast Trojan horse

Web browsers

Features	Ad filtering Augmented browsing Bookmarks Bookmarklet Live bookmark Smart Bookmarks Browser extension Browser security Browser synchronizer comparison Cookies Download manager Favicon Incremental search Plug-in Privacy mode Tabs Universal Edit Button

Web standards	Acid tests Cascading Style Sheets HTML HTML5 JavaScript MathML OCSP SVG WebGL XHTML

Related topics	BrowserChoice.eu CRL HTTP HTTPS iLoo Internet suite Man-in-the-browser Mobile Web Offline reader PAC Pwn2Own Rich Internet application Site-specific browser SPDY SSL/TLS WebSocket Widget World Wide Web WPAD XML

Desktop

Blink-based	Chromium Brave Chrome Dragon Opera Sleipnir Slimjet SRWare Iron UC Browser Vivaldi Yandex.Browser Sputnik

WebKit-based	Arora Avant Dooble Epic Flock Fluid iCab Konqueror Lunascape Maxthon Midori OmniWeb Origyn Web Browser Otter Browser QtWeb QupZilla rekonq Safari Shiira SlimBoat surf Torch Uzbl Web WebPositive xombrero

Trident-based	AOL Explorer Avant Deepnet Explorer GreenBrowser Internet Explorer Lunascape Maxthon MediaBrowser MenuBox NeoPlanet NetCaptor SlimBrowser SpaceTime UltraBrowser WebbIE ZAC Browser

Gecko-based	AT&T Pogo Avant Camino Firefox Conkeror GNU IceCat IceDragon Swiftfox Swiftweasel TenFourFox Timberwolf Tor Browser Waterfox xB Browser Galeon Ghostzilla K-Meleon Kazehakase Kirix Strata Lotus Symphony Lunascape Mozilla Beonex Communicator Classilla Netscape SeaMonkey

Text-based	ELinks Emacs/W3 Line Mode Browser Links Lynx w3m

Other	abaco Amaya Arachne Arena Charon Dillo eww Gazelle HotJava IBM Home Page Reader IBrowse KidZui Microsoft Edge Mosaic Mothra NetPositive NetSurf Pale Moon

Mobile

Blink-based	Android Browser Chromium Brave Chrome Opera Mobile Silk

WebKit-based	BOLT Dolphin Browser Firefox for iOS Maxthon Mercury Browser Nokia Browser for Symbian Rockmelt Safari Steel

Trident-based	Maxthon

Gecko-based	Firefox for Android MicroB Minimo

Presto-based	Opera Mini

Other	Blazer CM Browser Deepfish ibisBrowser Internet Explorer Mobile Iris Browser Konqueror Embedded Microsoft Edge NetFront Nokia Xpress Skweezer Skyfire Teashark ThunderHawk UC Browser Vision WinWAP Smooz(ja)

Television and video game console

WebKit-based	Google TV Nintendo 3DS Internet Browser Nintendo DS & DSi Browser NetFront Steam Overlay Wii U Internet Browser

Gecko-based	Kylo

Presto-based	Internet Channel

Other	MSN TV

Software no longer in development shown in italics

Category
Commons
Internet portal
Software portal

This article is issued from Wikipedia - version of the 11/8/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.