You may have heard of Man in the Middle attacks (MitM). A Man in the Middle attack is just that: a third party sits between two parties and relays the messages sent between them. Being the Man in the Middle, the attacker can not only view the messages being sent and received but also alter them.
A sub-type of MitM attacks is the Man in the Browser attack (MitB). A MitB attack is similar to a MitM attack, but the MitB attack is restricted to your web browser rather than being system wide. However, that doesn’t make it any safer.
In a MitB attack, the attacker sits between a user’s web browser and the destination servers. Like in a MitM attack, the attacker can view the messages exchanged between the browser and the destination servers and modify those messages. It’s a very serious attack that’s typically used for banking and credit card fraud.
In this article, we’re going to explain how MitB attacks work and how you can defend against them. We’re also going to be providing MitB attack examples along the way.
What is a Man in the Browser (MitB) attack?
One of the biggest differences between a MitM attack and a MitB attack is that the latter takes place at the application layer (intercepting and altering browser content) instead of the network layer (intercepting and modifying data packets in transit). That means that the attack can succeed regardless of whether or not the site you’re viewing is secured with SSL (HTTPS).
The first step to performing a MitB attack is to infect the target computer with malware. The target computer must be pre-infected with malware before the MitB attack can be carried out. This will typically be a Trojan Horse. Once the target system has been successfully infected, the trojan will modify the user’s browser, usually in one of two ways:
- By running a malicious script that configures the victim’s web browser to use a proxy server controlled by the attacker.
- By installing a compromised web browser extension controlled by the attacker.
In either case, this provides the attacker with the ability to view the messages being sent and received by the infected browser and to alter them.
The user will not receive any hints that something’s amiss. The URL at the top of the browser will be correct, so inspecting it won’t prevent the attack and, if enabled, the browser’s “malicious site” warnings won’t be triggered. The web page will appear completely legitimate even though it’s just been tampered with by the attacker.
Social engineering is the attack vector
As with many, if not most, online attacks, social engineering is where it all begins. When your computer is infected with a MitB trojan, the entry point will typically have been some form of social engineering. A fake Facebook post, a spam email with a malicious link or attachment, a dodgy pop-up window, etc.
The internet is a hostile place. Don’t be too trusting – there’s no shortage of those waiting to abuse your trust online. Treat the internet like one big misleading infomercial and always look at the fine print.
We’ll provide some advice on avoiding trojans towards the end of this article.
Man in the Browser attack example
A successful MitB attack can control the victim’s browser as follows:
- Add new columns/fields on the website or modify the existing fields.
- Change the appearance of the website.
- Alter the victim’s form input (checkout pages, login forms, etc).
- Intercept the data transmitted by the user to the website and vice versa.
- Modify the servers’ responses, things like confirmation messages and receipts.
- Remove traces of the fraudulent transaction when the user subsequently visits the site.
A successful MitB attack could also hijack your session (steal your cookies to bypass logins) or perform a replay attack.
Man in the Browser attack flow
Here’s what a common MitB attack can look like:
- The victim’s computer is infected with a MitB trojan through some form of social engineering/phishing (fake Facebook post, spam email with a bogus link or attachment, etc.).
- The Trojan Horse proceeds to modify the victim’s browser using one of the methods above (browser extension/proxy server).
- The victim logs into their banking website to transfer some funds to their mother’s account.
- The attacker can see everything being sent and received by the victim’s browser.
- The victim enters all the information required to transfer the funds and confirms the transfer.
- As the victim’s request is being transmitted to the bank, it is intercepted and modified by the attacker to transfer the funds to an account controlled by the attacker rather than the victim’s mother’s account.
- The attacker sends the victim a legitimate-looking confirmation page stating that the requested transfer was successful.
It could take days for the victim to realize that the funds were not transferred to the intended account. And when they do, they may not immediately suspect that the issue is with their browser. And the bank will state that they received a request for the funds to be transferred to the attacker’s account. And they’ll be telling the truth. By this point, the account will likely be closed, and the entity behind it will be impossible to track down and will probably not have been a real person to begin with.
The above is just an example. MitB attacks don’t follow a fixed playbook, other than being nasty attacks that tend to target your financial information. In the above example, the attacker could have inserted a new text field for additional personal information to be entered on the banking website to harvest that information to perpetrate another attack at a later date.
Almost anything goes…
Real-world examples of MitB trojans
Clampi is a known Man in the Browser banking trojan. It was designed to harvest and transmit personal information – more precisely, banking information – from the victim’s computer to a server controlled by the attacker. This strain of trojan specifically targeted Windows computers and was first observed in 2007.
The SpyEye trojan affects Google Chrome, Opera, Internet Explorer, and Firefox on Windows systems. Aside from providing the attacker with access to the compromised computer, the trojan also works as a keylogger. A keylogger records a computer user’s keystrokes to obtain credentials and sensitive information like credit card numbers.
The SpyEye trojan can insert new text fields into the web page the victim is viewing and can also modify legitimate text fields on the web page. This enables the trojan to prompt a user for sensitive information and make away with passwords, usernames, bank account, and credit card numbers. SpyEye can even display a user’s fake balance while hiding the fraudulent transactions from them.
The SpyEye trojan originated from Russia in 2009, when it was sold on the Dark Web at prices exceeding $500.
First discovered in the wild in 2009, the Carberp trojan was designed to target Facebook. Carberp can check the status of your internet connection, connect to remote sites over the internet, download other malware, and run files. Pretty nasty.
If a user with an infected web browser accessed Facebook, it would replace any page visited by the victim with a page stating the victim’s Facebook account had been temporarily locked. It further asked for the user’s name, date of birth, email address and password, and 20 euros to confirm their identity and unlock the account.
On the plus side, we know where this trojan gets installed, so you can always check to see if you’ve been infected:
- /ProgramFiles\NVIDIA Corporation\Updates
- /ProgramFiles\NVIDIA Corporation\Update Center
The Zeus trojan, also known as ZeuS and Zbot, infects computers running Microsoft Windows. Like SpyEye, Zeus’ endgame is to harvest financial information through keylogging and form grabbing.
The Zeus trojan typically spreads through drive-by downloads and social engineering/phishing. A drive-by download is a download that unknowingly occurs when downloading something else. A good example of this is Google Chrome being automatically installed when you install another program, such as CCleaner, on Windows computers. In Chrome’s case, the drive-by download is innocuous, but it can just as easily be malware.
Zeus was first discovered in July 2007 when it was found to have infected the United States Department of Transportation. By 2009, Zeus had been found to have infected organizations such as Bank of America, Amazon, NASA, and Oracle.
How to detect a MitB attack?
One of the nastier aspects of a Man in the Browser attack is that it’s almost impossible to detect. When you fall victim to a MitB attack, there are no new processes to detect or funky URLs you can inspect. Everything appears to be as it should.
However, there are still a few subtle giveaways that can sound the alarm. These hints aren’t exclusive to MitB attacks and could be the symptom of something different. Either way, it’s still worth keeping an eye out for the following:
- You notice extra or missing web page elements
- You receive a login notification from a device you don’t recognize
- You’re suddenly logged out of your account
- Your antivirus detects malware on your computer
How to prevent Man in the Browser attacks?
I’m afraid there isn’t much we can do to protect against MitB attacks. But that doesn’t mean you can’t do anything about it. It’s just that what you can do is relatively benign.
Here’s a shortlist of what organizations and individuals can do to mitigate MitB attacks.
User account management
To minimize opportunities for MitB attacks, organizations should implement strict user account permissions to prevent privilege escalation. This will limit the damage if a MitB attack is successful.
Organizations should provide basic online security training to their staff, covering topics like social engineering and how to detect a compromised computer, among other things.
Check common Trojan storage locations
Many MitB Trojans reside in the same location on your computer. Check the following directories for any unknown applications. If you find anything unfamiliar, look it up on the internet and scan it with antivirus software.
The locations you should check are:
- C:/Program File
- C:/Program Files (x86)
Don’t leave your web browser open
You should close your browser when you’re done using it. Because the MitB attack is contained in your web browser, closing the browser interrupts the attack. It may be crude, but it works – even if its usefulness is limited.
Better to avoid trojans altogether…
As you can see, the above measures are very much limited in scope. Your best bet is to avoid Trojans in the first place. I’d recommend reading our dedicated article on Trojan Horse malware for more information. But here are the main takeaways from that article on how to avoid Trojans.
While nothing is 100%, these common-sense tips should help.
- Install an antivirus and configure it to run scans at regular intervals. Many antivirus products can detect MitB trojans.
- Use a firewall: All major operating systems have a built-in incoming firewall, and all commercial routers on the market have a built-in NAT firewall. Make sure you enable them.
- Never click on pop-ups.
- If your browser displays a warning about a website you are trying to access, you should pay attention and get the information you need elsewhere.
- Never download pirated software – free products may sound enticing but remember that those who upload them are often looking to make money, either by compromising your system themselves or selling your information to other web crooks.
- Only buy well-reviewed and genuine security software from legitimate vendors.
- Only open email attachments if you trust the sender and you’re sure that you can verify their identity – viruses do come in the mail, and that’s why it’s always a good idea to scan all your incoming mail with an antivirus program.
- Keep your programs up to date. Malware and viruses typically try and exploit security flaws found in outdated software.
- Make regular backups of your computer.
- If you receive an email asking for information while claiming to be from an official organization with which you have a relationship, read it very carefully before doing anything. Does it have spelling and grammar mistakes? Does it have an air of urgency? These are classic signs of a phishing attempt. And remember that your bank or the government will never ask you to send them sensitive information by email.
- Don’t click links (URLs) in emails unless you know exactly who sent the URL and where it links to. And even then, scrutinize the link. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. Does the link contain spelling errors (gooogle instead of google)? If you can get to the destination without using the link, do that instead.
So that’s the lowdown on Man in the Browser attacks. They’re difficult to detect and to defend against. Your best bet is vigilance and a healthy degree of suspicion when online. That can be hard to do when you’re a trustworthy person. But on the internet, suspicion is warranted. You can at least trust that.
Stay safe (online).