Realizing that something fishy is going on, he immediately checks his bank statements and finds a charge of $2,000<\/strong> instead of $20 for the transaction made on the same day and from the same ecommerce site (Amazon)! Bob knows that it\u2019s unlikely that a well-known ecommerce site like Amazon would commit fraud. So, what just happened? It\u2019s then that Bob realizes that he has become the victim of a man-in-the-browser attack! <\/p>\n\n\n\n In this article, we\u2019ll explore what a man-in-the-browser is, execution, and some tips to prevent them. <\/p>\n\n\n\n A man-in-the-browser (MitB) attack occurs when an attacker inserts a special type of trojan horse<\/a> into the users\u2019 web browser via a<\/p>\n\n\n\n This allows an attacker to exploit the browser\u2019s security vulnerability. It enables hackers to read, intercept, steal, and modify the actions performed on the browser. <\/p>\n\n\n\n This MitB trojan can control the browser in one or more of the following ways: <\/p>\n\n\n\n The user and the website’s server don’t have any knowledge of such modifications until it\u2019s too late. Man-in-the-browser attacks can defraud even the most vigilant users and are immune to some well-known security mechanisms like secure SSL\/TLS certificates<\/a> and two-factor authentication<\/a>. <\/p>\n\n\n\n Unlike the phishing attacks<\/a> where users are tricked into entering their credentials on a fake site, in the MitB attacks, users perform all the actions on the legitimate site. Hence, no authentication<\/a> step has been bypassed. MitB trojan modifies the data before it gets encrypted.<\/p>\n\n\n\n Although man-in-the-browser attacks are conducted in various ways, the following hacking technique is the most common among all. Let\u2019s understand the entire man-in-the-browser process in 10 steps. <\/p>\n\n\n\n As you can see, both the user and the website are acting in good faith. The website has followed only the instructions that it received from the user. The user experiences a seamless transaction where the confirmation receipt reflects the same transaction details that they\u2019d expect, so they\u2019re not likely to assume that something is amiss. <\/p>\n\n\n\n In general, the man-in-the-browser attacks target websites where users perform any sort of transaction. For example, <\/p>\n\n\n\n However, the scope is not limited to the transactions only. The man-in-the-browser attacks are also used to steal the data. Here, the perpetrator steals data from the legit website\u2019s form or login pages. Forms can be inquiry forms or contact forms. They can also add new fields such as social security numbers, phone numbers, bank account numbers, etc. in the existing forms, too. Needless to say, all the data filled by the user in such forms are instantly received by the hackers. <\/p>\n\n\n\n Hackers also execute man-in-the-browser attacks against the company’s internal website or project management websites, which employees use to store and share confidential data. <\/p>\n\n\n\n These are some famous widespread trojans used for MitB attacks: <\/p>\n\n\n\n Zeus is a widely spread trojan that man-in-the-browsers use for keystroke logging (recording user\u2019s keyboard activity to monitor actions) and form grabbing (stealing login credentials from online forms). It gets installed on the user’s device via phishing emails<\/a> or malicious software downloads. <\/p>\n\n\n\n Zeus is considered to be the most dangerous trojan as it has successfully hacked FTP accounts of well-known websites<\/a> such as play.com, Amazon.com, Bank of America, United States Department of Transportation (US DOT), Cisco, NASA, BusinessWeek, ABC and Monster.com. <\/p>\n\n\n\n The Zeus trojan is used by scam artists to steal banking credentials and make unauthorized fund transfers. It also executes technical support scams by inserting a fake pop-up message on the website the user is visiting. The pop-up warns a user that their system is infected with the virus and defraud them by charging for virus removal. <\/p>\n\n\n\n This trojan gets installed in the following locations: <\/p>\n\n\n\n It can connect to some remote sites, check internet connection, download other malware from the internet, and run files. <\/p>\n\n\n\n One of the Carberp<\/a> trojan’s most notable targets is Facebook<\/a>. It infected some users\u2019 Firefox and Internet Explorer browsers. When users used one of these corrupt browser to open Facebook, it replaced the pages the users visited with fake ones. It asked for users\u2019 cash equivalent e-cash voucher number to defraud them. <\/p>\n\n\n\n This trojan is designed to execute man-in-the-browser attacks against the banking website<\/a>. It gets installed in Firefox or Internet Explorer and gets activated when the user opens a banking site. It keeps the banking session open even after the user has logged out of their account. This allows an attacker to steal the legitimate user’s real-time session ID tokens to do banking transactions on their behalf. <\/p>\n\n\n\n The most dangerous thing about this trojan is that it doesn\u2019t get stored on the device\u2019s disk. Hence, the anti-malware software can\u2019t detect it. It operates directly from the command-and-control server. Every time the user opens the banking site, a new trojan gets installed and deletes itself after the transaction is complete. <\/p>\n\n\n\n Tatanga is a banking trojan that is so powerful that it bypasses the mobile’s SMS authentication to complete the fraudulent financial transaction. Unlike the aforementioned trojans that affect only Internet Explorer or Firefox, Tatanga affects all of the major browsers, including IE, Firefox, Chrome, Opera, Safari, Maxthon, Netscape, and Konqueror. <\/p>\n\n\n\n Although the trojans used for man-in-the-browser attacks are evolving every single day, you can prevent them by being vigilant and with the use of some technological tools. These are five technologies or processes you can implement to prevent MitB attacks: <\/p>\n\n\n\n In this method, the browser is not used for two-factor or sometimes multi-factor authorization (MFA). Instead, a mobile phone\u2019s SMS facility or an automated phone call is used to deliver the one-time password (OTP) or the secret pin. <\/p>\n\n\n\n The SMS or phone call contains all the information about the transaction along with the OPT. But the user must be vigilant and check all the information received on the SMS\/phone call before submitting the OTP to the browser. However, you can\u2019t rely on this method 100% because trojans like Tatanga, Zeus and SpyEye can corrupt the mobiles and intercept all the incoming SMS messages, too. <\/p>\n\n\n\n Some of the common man in the browser trojans have a similar storage pattern. Be sure to regularly check the following folders: <\/p>\n\n\n\n Paths: <\/p>\n\n\n\n C:\/Program File <\/p>\n\n\n\n C:\/Program Files (x86) <\/p>\n\n\n\n C:\/Windows\/Temp <\/p>\n\n\n\n If you detect any unauthorized new software, scan it with anti-malware software and conduct an internet search to get more information about it. If you find anything suspicious, remove such unknown software. <\/p>\n\n\n\n Antivirus software can detect and remove some of the man-in-the-browser trojans. Regularly scan your devices with the antivirus software. Some of the antiviruses also show you the security dialogue box if it finds anything suspicious getting downloaded from the internet. However, antivirus software can’t prevent all the latest trojans. There is some browser security software available, too. <\/p>\n\n\n\n These five solutions claim to prevent MitB attacks: <\/p>\n\n\n\n Be careful while downloading any software or media files such as songs, images, and videos from unknown sites. Always scan the downloaded files with a robust antivirus program. <\/p>\n\n\n\n If you suspect any links or buttons, right-click on them and hit Inspect<\/strong>. You\u2019ll see a window with a bunch of codes in which you can see where exactly the link\/button is redirecting you to. <\/p>\n\n\n\n Never click on the links or advertisements that look too good to be true. For example, advertisements like winning the big lottery, casino prices, making thousands of dollars while working from home, etc. <\/p>\n\n\n\n If you\u2019re surfing an unknown website that asks you to update browser, software, or media player, never download from the link provided by those websites. If you\u2019re using an outdated version, go to that browser\/software’s official site and download the updated version directly from there. <\/p>\n\n\n\n One of the most popular ways of distributing the man-in-the-browser trojan is via phishing emails. That’s why always check the email headers and the sender’s email address to ensure emails are sent from the official company’s domain name. For example, if you get an email claiming to be from Amazon, it must be from an email address that ends in “@amazon.com” instead of Gmail, Yahoo, or any other generic email address. <\/p>\n\n\n\n Don\u2019t download any attachments from emails before having them scanned through reliable antivirus software. Before clicking on a link from an email, hover over cursor on the link and check where it actually points to. <\/p>\n\n\n\n Phishing email example: <\/p>\n\n\n\n A man in the browser attack is considered one of the most difficult cyber attacks<\/a> to detect and prevent. So, let\u2019s understand why, exactly, it\u2019s earned such a bad reputation. <\/p>\n\n\n\n In the regular phishing attacks, the attackers redirect users to a website that looks similar to the original site and trick users to submit their information. Here, the users still get a chance to detect the fraud as the domain name is going to be different. But in the man-in-the-browser attacks, the users are visiting the original website only. They don\u2019t have any reason to be suspicious and to detect the attack. <\/p>\n\n\n\n All good websites use robust technology such as enabling two-factor authentication, enforcing users to set strong passwords, limiting login attempts, enabling re-captcha, etc. They even send mobile\/email alerts to the user if there is a suspicious login attempt from a new device or geographical location. These steps help the servers to detect and prevent brute force attacks and unauthorized access to the users\u2019 account. <\/p>\n\n\n\n However, in man in the browser attacks, users themselves are logging in with their original credentials and completing the authentication process. Hence, the server has nothing to be suspicious about, and they can’t detect the attack. <\/p>\n\n\n\n In layman\u2019s terms, an SSL\/TLS certificate\u2019s job is to securely communicate data between the browser and the website\u2019s server. It uses public key infrastructure (PKI) technology, up to 256-bits<\/a> AES, RSA or ECC algorithm to encrypt the session key and up to 2048 bit strong public and private key to protect the data in transit. But the SSL certificate\u2019s protection is offered on the network side, while the man-in-the-browser attacks are executed on the application side. The trojan modifies the data on the browser level, even before the data transmits through the encrypted SSL\/TLS communication tunnel. <\/p>\n\n\n\n Consider this scenario: A food delivery person\u2019s job is to take food from the restaurant and safely delivers it to the stipulated address. But what if the restaurant manager hands over him a wrong food parcel or a wrong delivery address? In the same way, the SSL\/TLS can\u2019t prevent the man-in-the-browser attacks because the data is already modified before it is handed over to the SSL\/TLS technology\u2019s encrypted tunnel. <\/p>\n\n\n\nWhat is a Man in the Browser Attack? <\/h2>\n\n\n\n
How Man-in-the-Browser Attacks Are Executed <\/h2>\n\n\n\n
Phase 1: Malware Insertion <\/h3>\n\n\n\n
Phase 2: Transaction Interruption <\/h3>\n\n\n\n
Phase 3: Response Modification <\/h3>\n\n\n\n
Where MitB Attacks Are Most Commonly Used <\/h2>\n\n\n\n
Popular Trojans Used for Man-in-the-Browser Attacks <\/h2>\n\n\n\n
1. Zeus <\/h3>\n\n\n\n
2. Carberp <\/h3>\n\n\n\n
3. OddJob <\/h3>\n\n\n\n
4. Tatanga <\/h3>\n\n\n\n
Tips to Prevent Man-in-the-Browser Attacks <\/h2>\n\n\n\n
1. Out-of-Band Authentication <\/h3>\n\n\n\n
2. Manual Checking of Your Program Files <\/h3>\n\n\n\n
3. Use Security Software <\/h3>\n\n\n\n
4. Be Vigilant While Surfing on an Unknown Website <\/h3>\n\n\n\n
5. Beware Phishing Emails <\/h3>\n\n\n\n
![\"An](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/06\/man-in-the-browser-devliery-phishing-example.png\")
<\/figure><\/div>\n\n\n\nDetection Challenges Relating to Man in the Browser Attacks <\/h2>\n\n\n\n
Detection Challenges for Users <\/h3>\n\n\n\n
Detection Challenges for Website Servers <\/h3>\n\n\n\n
Detection Challenges for SSL\/TLS Certificate <\/h3>\n\n\n\n
Final Words on MitB Attacks <\/h2>\n\n\n\n