Man-in-the-browser
Man-in-the-browser, a form of Internet threat related to man-in-the-middle, is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile malware infection on the mobile phone. Trojans may be detected and removed by antivirus software with a 23% success rate against Zeus in 2009, and still low rates in 2011. The 2011 report concluded that additional measures on top of antivirus were needed. A related, simpler attack is the boy-in-the-browser. The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking.
Description
The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds". The name "Man-in-the-Browser" was coined by Philipp Gühring on 27 January 2007.A MitB Trojan works by using common facilities provided to enhance browser capabilities such as Browser Helper Objects, browser extensions and user scripts etc. Antivirus software can detect some of these methods.
In a nutshell example exchange between user and host, such as an Internet banking funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.
Examples
Examples of MitB threats on different operating systems and web browsers:| Name | Details | Operating system | Browser |
| Agent.DBJP | Windows | IE, Firefox | |
| Bugat | Windows | IE, Firefox | |
| Carberp | targets Facebook users redeeming e-cash vouchers | Windows | IE, Firefox |
| ChromeInject* | Greasemonkey impersonator | Windows | Firefox |
| Clampi | Windows | IE | |
| Gozi | Windows | IE, Firefox | |
| Nuklus | Windows | IE | |
| OddJob | keeps bank session open | Windows | IE, Firefox |
| Silentbanker | Windows | IE, Firefox | |
| Silon | Windows | IE | |
| SpyEye | successor of Zeus, widespread, low detection | Windows | IE, Firefox |
| Sunspot | widespread, low detection | Windows | IE, Firefox |
| Tatanga | Windows | IE, Firefox, Chrome, Opera, Safari, Maxthon, Netscape, Konqueror | |
| Tiny Banker Trojan | Smallest banking Trojan detected in wild at 20KB | Windows | IE, Firefox |
| Torpig** | Windows | IE, Firefox | |
| URLZone**** | Windows | IE, Firefox, Opera | |
| Weyland-Yutani BOT | crimeware kit similar to Zeus, not widespread | Mac OS X | Firefox |
| Yaludle | Windows | IE | |
| Zeus*** | widespread, low detection | Windows | IE, Firefox |
Protection
[Antivirus]
Known Trojans may be detected, blocked, and removed by antivirus software. In a 2009 study, the effectiveness of antivirus against Zeus was 23%, and again low success rates were reported in a separate test in 2011. The 2011 report concluded that additional measures on top of antivirus were needed.Hardened software
- Browser security software: MitB attacks may be blocked by in-browser security software such as Cymatic.io, Trusteer Rapport for Microsoft Windows and Mac OS X, which blocks the APIs from browser extensions and controls communication.
- Alternative software: Reducing or eliminating the risk of malware infection by using portable applications or using alternatives to Microsoft Windows like Mac OS X, Linux, or mobile OSes Android, iOS, Chrome OS, Windows Mobile, Symbian, etc., and/or browsers Chrome or Opera. Further protection can be achieved by running this alternative OS, like Linux, from a non-installed live CD, or Live USB.
- Secure Web Browser: Several vendors can now provide a two-factor security solution where a Secure Web Browser is part of the solution. In this case, MitB attacks are avoided, as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine.
Out-of-band transaction verification
Man-in-the-Mobile
spyware man-in-the-mobile can defeat OOB SMS transaction verification.- ZitMo is not a MitB Trojan itself, but is mobile malware suggested for installation on a mobile phone by a Zeus-infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on Windows Mobile, Android, Symbian, and BlackBerry. ZitMo may be detected by Antivirus running on the mobile device.
- SpitMo is similar to ZitMo.
Web fraud detection
Related attacks
Proxy trojans
are the most primitive form of proxy trojans, followed by browser-session recorders that capture more data, and lastly MitBs are the most sophisticated type.Man-in-the-middle
SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.Boy-in-the-browser
A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser. Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.Clickjacking
Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.DDoS over WiFi and related exploits
Some phones and tablets in current use have a known vulnerability to DDoS over WiFi, and this has been documented on certain Android phones. The vulnerability is that if an attacker detects that someone is using sharing, it is possible to target the phone or tablet directly using a packet collision similar to the one found on LAN networks requiring guessing the device sharing password using a rainbow table and cloning the SSID, thus forcing a reboot after enough data has built up in RAM causing a buffer overflow. During this narrow window, malicious software can be used to install a rootkit or other malware over the diagnostics OTA channel before the antivirus has a chance to load in a similar way to how sideloading over USB works. It appears that there is no defense at present other than not using sharing or changing the password after a short random interval, e.g. WPA2-TKIP, which not all devices support.WPA3-OTP may be a solution if a sufficiently large memory at both ends is used, e.g. 400GB.