Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet

threat A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation f ...

related to man-in-the-middle (MITM), is a proxy

Trojan horse In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer, Homer's ''Iliad'', with the poem ending ...

that infects a

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

by taking advantage of vulnerabilities in browser security to modify

web pages A web page (or webpage) is a World Wide Web, Web document that is accessed in a web browser. A website typically consists of many web pages hyperlink, linked together under a common domain name. The term "web page" is therefore a metaphor of pap ...

, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host

web application A web application (or web app) is application software that is created with web technologies and runs via a web browser. Web applications emerged during the late 1990s and allowed for the server to dynamically build a response to the request, ...

. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/ PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using

out-of-band In telecommunications, out-of-band activity is activity outside a defined frequency band, or, metaphorically, outside of any primary communication channel. Protection from falsing is among its purposes. Examples General usage * Out-of-band agr ...

transaction verification, although

SMS Short Message Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile phones exchange short text messages, t ...

verification can be defeated by man-in-the-mobile (MitMo)

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

infection on the

mobile phone A mobile phone or cell phone is a portable telephone that allows users to make and receive calls over a radio frequency link while moving within a designated telephone service area, unlike fixed-location phones ( landline phones). This rad ...

. Trojans may be detected and removed by antivirus software, but a 2011 report concluded that additional measures on top of antivirus software were needed. A related, simpler attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a 2014 survey considered MitB to be the greatest threat to

online banking Online banking, also known as internet banking, virtual banking, web banking or home banking, is a system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institut ...

Description

The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds." The name "man-in-the-browser" was coined by Philipp Gühring on 27 January 2007. A MitB Trojan works by using common facilities provided to enhance browser capabilities such as

Browser Helper Object A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BH ...

s (a feature limited to

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...

browser extension A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and st ...

s and user scripts (for example in

JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...

Antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...

can detect some of these methods. In a nutshell example exchange between user and host, such as an

Internet banking Online banking, also known as internet banking, virtual banking, web banking or home banking, is a system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institut ...

funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.

Examples

Examples of MitB threats on different

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

s and

Protection

Antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...

Known Trojans may be detected, blocked, and removed by antivirus software. In a 2009 study, the effectiveness of antivirus against Zeus was 23%, and again low success rates were reported in a separate test in 2011. The 2011 report concluded that additional measures on top of antivirus were needed.

Hardened software

* Browser security software: MitB attacks may be blocked by in-browser security software such as Cymatic.io, Trusteer Rapport for

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

and

Mac OS X macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

, which blocks the APIs from browser extensions and controls communication. * Alternative software: Reducing or eliminating the risk of malware infection by using

portable application A portable application (portable app), sometimes also called standalone software, is a computer program designed to operate without changing other files or requiring other software to be installed. In this way, it can be easily added to, run, ...

s or using alternatives to

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

, or mobile OSes Android,

iOS Ios, Io or Nio (, ; ; locally Nios, Νιός) is a Greek island in the Cyclades group in the Aegean Sea. Ios is a hilly island with cliffs down to the sea on most sides. It is situated halfway between Naxos and Santorini. It is about long an ...

ChromeOS ChromeOS, sometimes styled as chromeOS and formerly styled as Chrome OS, is an operating system designed and developed by Google. It is derived from the open-source operating system and uses the Google Chrome web browser as its principal user ...

Windows Mobile Windows Mobile is a discontinued mobile operating system developed by Microsoft for smartphones and personal digital assistants (PDA). Designed to be the portable equivalent of the Windows desktop OS in the emerging Mobile device, mobile/port ...

Symbian Symbian is a discontinued mobile operating system (OS) and computing platform designed for smartphones. It was originally developed as a proprietary software OS for personal digital assistants in 1998 by the Symbian Ltd. consortium. Symbian OS ...

, etc., and/or browsers Chrome or

Opera Opera is a form of History of theatre#European theatre, Western theatre in which music is a fundamental component and dramatic roles are taken by Singing, singers. Such a "work" (the literal translation of the Italian word "opera") is typically ...

. Further protection can be achieved by running this alternative OS, like Linux, from a non-installed

live CD A live CD (also live DVD, live disc, or live operating system) is a complete booting, bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than lo ...

, or

Live USB A live USB is a portable USB-attached external data storage device containing a full operating system that can be booted from. The term is reminiscent of USB flash drives but may encompass an external hard disk drive or solid-state drive, thou ...

. * Secure Web Browser: Several vendors can now provide a two-factor security solution where a Secure Web Browser is part of the solution. In this case, MitB attacks are avoided, as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine.

Out-of-band transaction verification

A theoretically effective method of combating any MitB attack is through an

(OOB) transaction verification process. This overcomes the MitB trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example, an automated telephone call,

, or a dedicated

mobile app A mobile application or app is a computer program or software application designed to run on a mobile device such as a smartphone, phone, tablet computer, tablet, or smartwatch, watch. Mobile applications often stand in contrast to desktop appli ...

with graphical cryptogram. OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g.

landline A landline is a physical telephone connection that uses metal wires or optical fiber from the subscriber's premises to the network, allowing multiple phones to operate simultaneously on the same phone number. It is also referred to as plain old ...

, etc.) and requires no additional hardware devices, yet enables three-factor authentication (using voice

biometrics Biometrics are body measurements and calculations related to human characteristics and features. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used t ...

), transaction signing (to non-repudiation level), and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

Man-in-the-Mobile

Mobile phone A mobile phone or cell phone is a portable telephone that allows users to make and receive calls over a radio frequency link while moving within a designated telephone service area, unlike fixed-location phones ( landline phones). This rad ...

mobile Trojan spyware man-in-the-mobile (MitMo) can defeat OOB SMS transaction verification. * ZitMo (Zeus-In-The-Mobile) is not a MitB Trojan itself (although it performs a similar proxy function on the incoming SMSes), but is mobile

suggested for installation on a mobile phone by a Zeus-infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on

, Android,

, and

BlackBerry BlackBerry is a discontinued brand of handheld devices and related mobile services, originally developed and maintained by the Canadian company Research In Motion (RIM, later known as BlackBerry Limited) until 2016. The first BlackBerry device ...

. ZitMo may be detected by Antivirus running on the mobile device. * SpitMo (SpyEye-In-The-Mobile, SPITMO) is similar to ZitMo.

Web fraud detection

Web fraud detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions. TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 126011017202752:error:1000012e:SSL routines:OPENSSL_internal:KEY_USAGE_BIT_INCORRECT:third_party/openssl/boringssl/src/ssl/ssl_cert.cc:431:

Related attacks

Proxy trojans

Keyloggers are the most primitive form of proxy trojans, followed by browser-session recorders that capture more data, and lastly MitBs are the most sophisticated type.

Man-in-the-middle

SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.

Boy-in-the-browser

A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.

Clickjacking

Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.

References

External links

Virus attack on HSBC Transactions with OTP Device

Virus attack on ICICI Bank Transactions

Virus attack on Citibank Transactions

Hackers outwit online banking identity security systems
BBC Click
Antisource - ZeuS
A summary of ZeuS as a Trojan and Botnet, plus vector of attacks * Entrust President and CEO Bill Conner * The Zeus toolkit, Symantec Security Response
How safe is online banking? Audio
BBC Click * Imperva {{Web browsers Computing culture Computing terminology Hacking (computer security) Social engineering (security) Trojan horses Web security exploits