Man in the Browser
Encyclopedia
Man-in-the-Browser a form of Internet threat
related to Man-in-the-Middle (MitM), is a trojan
that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack
will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The only way to counter a MitB attack is by utilising transaction verification
. A related attack that is simpler and quicker for malware authors to set up is termed Boy-in-the-Browser (BitB).
The Man-in-the-Browser threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "O futuro dos backdoors - o pior dos mundos" ("The future of backdoors - worst of all worlds"). It was named as MitB by Philipp Gühring in a white paper "Concepts against Man-in-the-Browser Attacks", 27 January 2007.
The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., and is therefore virtually undetectable to virus scanning software.
In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. An example of a MitB threat is Silentbanker.
One of the most effective methods in combating a MitB attack is through an out-of-band
(OOB) Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call. OOB Transaction Verification is ideal for mass market use since it leverages devices already in the public domain (e.g. Landline, Cell Phone, etc) and requires no additional hardware devices yet enables Three Factor Authentication (utilising Voice Biometrics), Transaction Signing (to non-repudiation level) and Transaction Verification. The downside, of course, is that the OOB Transaction Verification adds to the level of the end user's frustration with more and slower steps.
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
related to Man-in-the-Middle (MitM), is a trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The only way to counter a MitB attack is by utilising transaction verification
Transaction verification
Transaction verification is the generic term to describe the Internet-based security method of verifying that the actual content of a transaction has not been altered by the fraudulent techniques known as Man-in-the-Middle and Man-in-the-Browser . This form of transaction protection is...
. A related attack that is simpler and quicker for malware authors to set up is termed Boy-in-the-Browser (BitB).
The Man-in-the-Browser threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "O futuro dos backdoors - o pior dos mundos" ("The future of backdoors - worst of all worlds"). It was named as MitB by Philipp Gühring in a white paper "Concepts against Man-in-the-Browser Attacks", 27 January 2007.
The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., and is therefore virtually undetectable to virus scanning software.
In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. An example of a MitB threat is Silentbanker.
One of the most effective methods in combating a MitB attack is through an out-of-band
Out-of-band
The term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...
(OOB) Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call. OOB Transaction Verification is ideal for mass market use since it leverages devices already in the public domain (e.g. Landline, Cell Phone, etc) and requires no additional hardware devices yet enables Three Factor Authentication (utilising Voice Biometrics), Transaction Signing (to non-repudiation level) and Transaction Verification. The downside, of course, is that the OOB Transaction Verification adds to the level of the end user's frustration with more and slower steps.
External links
See also
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- TorpigTorpigTorpig, also known as Sinowal or Anserin , is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows...