HomeBlogsakothanath's blog › Man In The Browser attacks - A Nightmare on Web Street

Man In The Browser attacks - A Nightmare on Web Street

Submitted by akothanath on Fri, 2010-05-28 10:52

Recent months I have heard more conversations around Man in the Browser (MitB) type attacks more than ever. As the fraudsters gain more sophistication, the number of victims and the actual loss (in many cases money) increases. It has been reported that many online banks in the Europe and US are now threatened by a tremendous increase in these specific type.

Much line a MiiM (Man in the Middle) attacke, the MitB attack uses a trojan to manipulate the flow of actions between the user and the target application.

The perceived risk and the threat associated with the MitB attack may be the highest of all since most prevention techniques based on a reliable authentication, trusted device or other fingerprint/tattoo methods can be helpless in this scenario. The user successfully authenticates and establishes a valid session in these cases and the trojan essentially takes control of the session with out the user’s knowledge.

MitB attacks makes it transaction level fraud detection, re-authentication via out of band techniques etc. necessary to avoid committing the fraud. While most companies focus on two (multi) factor authentication to combat fraud, MitB attacks makes these defense mechanism practically useless. A recent report by RSA security suggests that MitB attacks are most prevalent in areas where two-factor authentication is densely deployed.

The RSA Security white paper Making Sense of Man in the Browser: Mitigation Strategies for Emerging Online Threats is a good read discussing in detail with many factual points. You might have to sign up for it, but it’s worth it.

screen-shot-2010-05-28-at-91901-am
The alarming increase in  rate at which the infection of malware  makes many users vulnerable to this type of threats. Refer to the good example provided in the above whitepaper (breach of Paul McCartney’s fan page). A user visiting such infected sites, unknowingly get infected by the malware, which may act on a later time.

While researching on this topic, I found this interesting excerpt on the good old Wikipedia, which reads,

The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., and is therefore virtually undetectable to virus scanning software.[2]

In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. An example of a MitB threat is Silentbanker.[3]

One of the most effective methods in combating a MitB attack is through an out-of-band (OOB) Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call. OOB Transaction Verification is ideal for mass market use since it leverages devices already in the public domain (e.g. Landline, Cell Phone, etc) and requires no additional hardware devices yet enables Three Factor Authentication (utilising Voice Biometrics), Transaction Signing (to non-repudiation level) and Transaction Verification.

As it suggests, a potential mitigation strategy couls look some thing like this,

- Detect the risk of a particular transaction, no matter whether the user has successfully authenticated via multiple factors.
- If the assessed risk is perceived higher (e.g. the transaction will result in moving money from point A to point B, or the action is irreversible such as downloading sensitive material) invoke an Out of Band authentication action.
- Verify the transaction using the Out of Band action, and let the user continue.

Here is another good read published by Entrust. Defeating Man-in-the-Browser: How to Prevent the Latest Malware Attacks against Consumer & Corporate Banking