man-in-the-browser

The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds."{{cite web|url=http://www.paesdebarros.com.br/backdoors.pdf |title=O futuro dos backdoors - o pior dos mundos |publisher=Congresso Nacional de Auditoria de Sistemas, Segurança da Informação e Governança - CNASI |location=Sao Paulo, Brazil |language=pt |last=Paes de Barros |first=Augusto |date=15 September 2005 |access-date=2009-06-12 |url-status=dead |archive-url=https://web.archive.org/web/20110706153819/http://www.paesdebarros.com.br/backdoors.pdf |archive-date=July 6, 2011 }} The name "man-in-the-browser" was coined by Philipp Gühring on 27 January 2007.

A MitB Trojan works by using common facilities provided to enhance browser capabilities such as Browser Helper Objects (a feature limited to Internet Explorer), browser extensions and user scripts (for example in JavaScript).{{cite web|url=http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf|title=Concepts against Man-in-the-Browser Attacks|last=Gühring|first=Philipp|date=27 January 2007|access-date=2008-07-30}} Antivirus software can detect some of these methods.

In a nutshell example exchange between user and host, such as an Internet banking funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.

Examples of MitB threats on different operating systems and web browsers:

Known Trojans may be detected, blocked, and removed by antivirus software. In a 2009 study, the effectiveness of antivirus against Zeus was 23%, and again low success rates were reported in a separate test in 2011. The 2011 report concluded that additional measures on top of antivirus were needed.

• Browser security software: MitB attacks may be blocked by in-browser security software such as Cymatic.io, Trusteer Rapport for Microsoft Windows and Mac OS X, which blocks the APIs from browser extensions and controls communication.
• Alternative software: Reducing or eliminating the risk of malware infection by using portable applications or using alternatives to Microsoft Windows like Mac OS X, Linux, or mobile OSes Android, iOS, ChromeOS, Windows Mobile, Symbian, etc., and/or browsers Chrome or Opera.{{cite web|url=http://blogs.computerworld.com/19692/online_banking_what_the_bbc_missed_and_a_safety_suggestion|title=Online banking: what the BBC missed and a safety suggestion|first=Michael|last=Horowitz|date=2012-02-06|access-date=2012-02-08}} Further protection can be achieved by running this alternative OS, like Linux, from a non-installed live CD, or Live USB.{{cite web|url=http://lifehacker.com/5381466/use-a-linux-live-cdusb-for-online-banking|title=Use a Linux Live CD/USB for Online Banking|first=Kevin|last=Purdy|date=2009-10-14|access-date=2012-02-04}}
• Secure Web Browser: Several vendors can now provide a two-factor security solution where a Secure Web Browser is part of the solution.{{Cite book|last1=Konoth|first1=Radhesh Krishnan|last2=van der Veen|first2=Victor|last3=Bos|first3=Herbert|title=Financial Cryptography and Data Security |chapter=How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication |date=2017|editor-last=Grossklags|editor-first=Jens|editor2-last=Preneel|editor2-first=Bart|chapter-url=https://link.springer.com/chapter/10.1007/978-3-662-54970-4_24|series=Lecture Notes in Computer Science|volume=9603 |language=en|location=Berlin, Heidelberg|publisher=Springer|pages=405–421|doi=10.1007/978-3-662-54970-4_24|isbn=978-3-662-54970-4}} In this case, MitB attacks are avoided, as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine.

A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example, an automated telephone call, SMS, or a dedicated mobile app with graphical cryptogram.{{cite web|url=http://www.finextra.com/news/fullstory.aspx?newsitemid=19280|title=Commerzbank to deploy Cronto mobile phone-based authentication technology|author=Finextra Research|date=2008-11-13|access-date=2012-02-08}} OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g. landline, mobile phone, etc.) and requires no additional hardware devices, yet enables three-factor authentication (using voice biometrics), transaction signing (to non-repudiation level), and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

Mobile phone mobile Trojan spyware man-in-the-mobile (MitMo){{cite web|url=http://www.darkreading.com/authentication/167901072/security/application-security/227700141/man-in-the-mobile-attacks-highlight-weaknesses-in-out-of-band-authentication.html|title='Man In The Mobile' Attacks Highlight Weaknesses In Out-Of-Band Authentication|first=Ericka|last=Chickowski|date=2010-10-05|access-date=2012-02-09|archive-date=2012-03-01|archive-url=https://web.archive.org/web/20120301203206/http://www.darkreading.com/authentication/167901072/security/application-security/227700141/man-in-the-mobile-attacks-highlight-weaknesses-in-out-of-band-authentication.html|url-status=dead}} can defeat OOB SMS transaction verification.

• ZitMo (Zeus-In-The-Mobile) is not a MitB Trojan itself (although it performs a similar proxy function on the incoming SMSes), but is mobile malware suggested for installation on a mobile phone by a Zeus-infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on Windows Mobile, Android, Symbian, and BlackBerry.{{cite web|url=http://www.informationweek.com/news/security/mobile/231001685|title=Zeus Banking Trojan Hits Android Phones|first=Mathew J.|last=Schwartz|date=2011-07-13|access-date=2012-02-04|archive-date=2012-07-06|archive-url=https://web.archive.org/web/20120706044256/http://www.informationweek.com/news/security/mobile/231001685|url-status=dead}} ZitMo may be detected by Antivirus running on the mobile device.
• SpitMo (SpyEye-In-The-Mobile, SPITMO) is similar to ZitMo.{{cite web|url=http://www.qadit.com/blog/?p=2130|title=Internet Banking & Mobile Banking users beware – ZITMO & SPITMO is here !!|first=Mahesh|last=Balan|date=2009-10-14|access-date=2012-02-05}}

Web fraud detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions.{{cite web|url=http://howto.techworld.com/security/3335614/how-protect-online-transactions-with-multi-factor-authentication/|title=How to protect online transactions with multi-factor authentication|first=Julie|last=Sartain|date=2012-02-07|access-date=2012-02-08}}

TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 126011017202752:error:1000012e:SSL routines:OPENSSL_internal:KEY_USAGE_BIT_INCORRECT:third_party/openssl/boringssl/src/ssl/ssl_cert.cc:431:

Keyloggers are the most primitive form of proxy trojans, followed by browser-session recorders that capture more data, and lastly MitBs are the most sophisticated type.

{{main|Man-in-the-middle}}

SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.

A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.{{cite web|url=http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser|title=Threat Advisory Boy in the Browser|last=Imperva|date=2010-02-14|access-date=2015-03-12}}

{{main|Clickjacking}}

Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.

• Form grabbing
• IT risk
• Threat (computer)
• Timeline of computer viruses and worms
• Security token
• Transaction authentication number
• DNS hijacking

{{Reflist|30em}}

• [http://www.ksyash.com/2012/01/virus-attack-on-hsbc-transactions-with-otp-device/ Virus attack on HSBC Transactions with OTP Device]
• [http://www.ksyash.com/2011/12/virus-attack-on-icici-bank-transactions/ Virus attack on ICICI Bank Transactions]
• [http://www.ksyash.com/2011/12/virus-attack-on-citibank-transactions/ Virus attack on Citibank Transactions]
• [https://www.bbc.co.uk/news/technology-16812064 Hackers outwit online banking identity security systems] BBC Click
• [https://web.archive.org/web/20120120004836/http://www.antisource.com/article.php/zeus-botnet-summary Antisource - ZeuS] A summary of ZeuS as a Trojan and Botnet, plus vector of attacks
• {{YouTube|8QYsO1kgse4|Man-In-The-Browser Video}} Entrust President and CEO Bill Conner
• {{YouTube|CzdBCDPETxk|Zeus: King of crimeware toolkits Video}} The Zeus toolkit, Symantec Security Response
• [http://news.bbc.co.uk/1/hi/programmes/click_online/9692312.stm How safe is online banking? Audio] BBC Click
• {{YouTube|CzdBCDPETxk|Boy-in-the-Browser Cyber Attack Video}} Imperva

{{Malware}}

{{Botnets}}

{{Web browsers}}

Category:Computing culture

Category:Computing terminology

Category:Hacking (computer security)

Category:Social engineering (security)

Category:Trojan horses

Category:Web security exploits