Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are in place. A MitB attack may be countered by utilising out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software with a 23% success rate against Zeus in 2009, and still low rates in 2011. The 2011 report concluded that additional measures on top of antivirus were needed. A related, more simple attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking. For online banking, using portable applications or using alternatives to Microsoft Windows and Mac OS X like Linux, Chrome OS or mobile OSes may be the safest, especially when run from non-installed media.
The man-in-the-browser threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds". The name man-in-the-browser was coined by Philipp Gühring on 27 January 2007.
A MitB Trojan works by utilising common facilities provided to enhance browser capabilities such as Browser Helper Objects (a feature limited to Internet Explorer), browser extensions and user scripts (for example in JavaScript) etc. Antivirus software can detect some of these methods.
In a nutshell example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.
Examples of MitB threats on different operating systems and web browsers:
| Name | Details | Operating system | Browser |
|---|---|---|---|
| Agent.DBJP | Windows | IE, Firefox | |
| Bugat | Windows | IE, Firefox | |
| Carberp | targets Facebook users redeeming e-cash vouchers | Windows | IE, Firefox |
| ChromeInject* | Greasemonkey impersonator | Windows | Firefox |
| Clampi | Windows | IE | |
| Gozi | Windows | IE, Firefox | |
| Nuklus | Windows | IE | |
| OddJob | keeps bank session open | Windows | IE, Firefox |
| Silentbanker | Windows | IE, Firefox | |
| Silon | Windows | IE | |
| SpyEye | successor of Zeus, widespread, low detection | Windows | IE, Firefox |
| Sunspot | widespread, low detection | Windows | IE, Firefox |
| Tatanga | Windows | IE, Firefox, Chrome, Opera, Safari, Maxthon, Netscape, Konqueror | |
| Torpig** | Windows | IE, Firefox | |
| URLZone**** | Windows | IE, Firefox, Opera | |
| Weyland-Yutani BOT | crimeware kit similar to Zeus, not widespread | Mac OS X | Firefox |
| Yaludle | Windows | IE | |
| Zeus*** | widespread, low detection | Windows | IE, Firefox |
| Key | Windows: IE | Windows: IE & Firefox or Firefox | Windows: other | Mac OS X: any |
| *ChromeInject aka ChromeInject.A, ChromeInject.B, Banker.IVX, Inject.NBT, Bancos-BEX, Drop.Small.abw | ||||
| **Torpig aka Sinowal, Anserin | ||||
| ***Zeus aka ZeuS, Zbot, Wsnpoem, NTOS, PRG, Kneber, Gorhax | ||||
| ****URLZone aka Bebloh!IK, Runner.82176, Monder, ANBR, Sipay.IU, Runner.fq, PWS.y!cy, Zbot.gen20, Runner.J, BredoPk-B, Runner.EQ | ||||
A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example an automated telephone call, SMS, or a dedicated mobile app with graphical cryptogram. OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g. landline, mobile phone, etc.) and requires no additional hardware devices yet enables three-factor authentication (utilising voice biometrics), transaction signing (to non-repudiation level) and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.
Mobile phone mobile Trojan spyware man-in-the-mobile (MitMo) can defeat OOB SMS transaction verification.
Web Fraud Detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions.
Known Trojans may be detected, blocked and removed by antivirus software. In a 2009 study, the effectiveness of antivirus against Zeus was 23%, and again low success rates were reported in a separate test in 2011. The 2011 report concluded that additional measures on top of antivirus were needed.
Keyloggers are the most primitive form of proxy Trojans, followed by browser-session recorders which capture more data, and lastly MitBs are the most sophisticated type.
SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.
A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the clients computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.
Clickjacking tricks a web browser user into clicking on something different to what the user perceives, by means of malicious code in the webpage.
|
||||||||||||||||||||
|
||||||||
HOT DESIGNS ▪ Premium designs ▪ Designs by country ▪ Designs by U.S. state ▪ Most popular designs ▪ Newest, last added designs ▪ Unique designs ▪ Cheap, budget designs ▪ Design super sale DESIGNS BY THEME ▪ Accounting, audit designs ▪ Adult, sex designs ▪ African designs ▪ American, U.S. designs ▪ Animals, birds, pets designs ▪ Agricultural, farming designs ▪ Architecture, building designs ▪ Army, navy, military designs ▪ Audio & video designs ▪ Automobiles, car designs ▪ Books, e-book designs ▪ Beauty salon, SPA designs ▪ Black, dark designs ▪ Business, corporate designs ▪ Charity, donation designs ▪ Cinema, movie, film designs ▪ Computer, hardware designs ▪ Celebrity, star fan designs ▪ Children, family designs ▪ Christmas, New Year's designs ▪ Green, St. Patrick designs ▪ Dating, matchmaking designs ▪ Design studio, creative designs ▪ Educational, student designs ▪ Electronics designs ▪ Entertainment, fun designs ▪ Fashion, wear designs ▪ Finance, financial designs ▪ Fishing & hunting designs ▪ Flowers, floral shop designs ▪ Food, nutrition designs ▪ Football, soccer designs ▪ Gambling, casino designs ▪ Games, gaming designs ▪ Gifts, gift designs ▪ Halloween, carnival designs ▪ Hotel, resort designs ▪ Industry, industrial designs ▪ Insurance, insurer designs ▪ Interior, furniture designs ▪ International designs ▪ Internet technology designs ▪ Jewelry, jewellery designs ▪ Job & employment designs ▪ Landscaping, garden designs ▪ Law, juridical, legal designs ▪ Love, romantic designs ▪ Marketing designs ▪ Media, radio, TV designs ▪ Medicine, health care designs ▪ Mortgage, loan designs ▪ Music, musical designs ▪ Night club, dancing designs ▪ Photography, photo designs ▪ Personal, individual designs ▪ Politics, political designs ▪ Real estate, realty designs ▪ Religious, church designs ▪ Restaurant, cafe designs ▪ Retirement, pension designs ▪ Science, scientific designs ▪ Sea, ocean, river designs ▪ Security, protection designs ▪ Social, cultural designs ▪ Spirit, meditational designs ▪ Software designs ▪ Sports, sporting designs ▪ Telecommunication designs ▪ Travel, vacation designs ▪ Transport, logistic designs ▪ Web hosting designs ▪ Wedding, marriage designs ▪ White, light designs E-COMMERCE DESIGNS ▪ Magento store designs ▪ OpenCart store designs ▪ PrestaShop store designs ▪ CRE Loaded store designs ▪ Jigoshop store designs ▪ VirtueMart store designs ▪ osCommerce store designs ▪ Zen Cart store designs CMS DESIGNS ▪ Flash CMS designs ▪ Joomla CMS designs ▪ Mambo CMS designs ▪ Drupal CMS designs ▪ WordPress blog designs ▪ Forum designs ▪ phpBB forum designs ▪ PHP-Nuke portal designs ANIMATED WEBSITE DESIGNS ▪ Flash CMS designs ▪ Silverlight animated designs ▪ Silverlight intro designs ▪ Flash animated designs ▪ Flash intro designs ▪ XML Flash designs ▪ Flash 8 animated designs ▪ Dynamic Flash designs ▪ Flash animated photo albums ▪ Dynamic Swish designs ▪ Swish animated designs ▪ jQuery animated designs WEBSITE DESIGNS ▪ WebMatrix Razor designs ▪ HTML 5 designs ▪ Web 2.0 designs ▪ 3-color variation designs ▪ 3D, three-dimensional designs ▪ Artwork, illustrated designs ▪ Clean, simple designs ▪ CSS based website designs ▪ Full design packages ▪ Full ready websites ▪ Portal designs ▪ Stretched, full screen designs ▪ Universal, neutral designs CORPORATE ID DESIGNS ▪ Corporate identity sets ▪ Logo layouts, logo designs ▪ Logotype sets, logo packs ▪ PowerPoint, PTT designs ▪ Facebook themes VIDEO, SOUND & MUSIC ▪ Video e-cards ▪ After Effects video intros ▪ Special video effects ▪ Music tracks, music loops ▪ Stock music bank GRAPHICS & CLIPART ▪ Pro clipart & illustrations, $19/year ▪ 5,000+ icons by subscription ▪ Icons, pictograms |
| Super Offers |
| Super Offers |
| Custom Logo Design $149 ▪ Web Programming ▪ ID Card Printing ▪ Best Web Hosting ▪ eCommerce Software ▪ Add Your Link |
| © 1996-2013 MAGIA Internet Studio ▪ About ▪ Portfolio ▪ Photo on Demand ▪ Hosting ▪ Advertise ▪ Sitemap ▪ Privacy ▪ Maria Online
|
