Man in the Browser

Man-in-the-Browser (MitB), a form of Internet threat related to Man-in-the-Middle (MitM), is a trojan that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The only way to counter a MitB attack is by utilising transaction verification. A related attack that is simpler and quicker for malware authors to set up is termed Boy-in-the-Browser (BitB).^[1]

The Man-in-the-Browser threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "O futuro dos backdoors - o pior dos mundos" ("The future of backdoors - worst of all worlds").^[2] It was named as MitB by Philipp Gühring in a white paper "Concepts against Man-in-the-Browser Attacks", 27 January 2007.

The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., and is therefore virtually undetectable to virus scanning software.^[3]

In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. An example of a MitB threat is Silentbanker.^[4]

One of the most effective methods in combating a MitB attack is through an out-of-band (OOB) Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call. OOB Transaction Verification is ideal for mass market use since it leverages devices already in the public domain (e.g. Landline, Cell Phone, etc) and requires no additional hardware devices yet enables Three Factor Authentication (utilising Voice Biometrics), Transaction Signing (to non-repudiation level) and Transaction Verification. The downside, of course, is that the OOB Transaction Verification adds to the level of the end user's frustration with more and slower steps.

External links

• MitM, MitB y Phishing, las principales amenazas en internet

References

1. ^ Koziol, Jack (15 March, 2011). "Imperva’s Amichai Shulman Discusses the Boy in the Browser Attack". http://resources.infosecinstitute.org/imperva’s-amichai-shulman-discusses-the-boy-in-the-browser-attack/. Retrieved 2011-03-15. 
2. ^ Paes de Barros, Augusto (15 September, 2005). "O futuro dos backdoors - o pior dos mundos" (in Portuguese)). Sao Paulo, Brazil: Congresso Nacional de Auditoria de Sistemas, Segurança da Informação e Governança - CNASI. http://www.paesdebarros.com.br/backdoors.pdf. Retrieved 2009-06-12. 
3. ^ Gühring, Philipp (27 January, 2007). "Concepts against Man-in-the-Browser Attacks". http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf. Retrieved 2008-07-30. 
4. ^ Symantec Marc Fossi (2008-01-23). "Banking with Confidence". http://www.symantec.com/connect/blogs/banking-confidence. Retrieved 2008-07-30. 

See also

Computer security portal

• Attack (computer)
• IT risk
• Threat (computer)
• Torpig