The Man-In-The-Browser: It Hungers For Your Online Credentials


Imagine you’re trying to log into your online banking account. Rather than being directed to the page you’ve requested after entering in your User ID and password, an additional field appears and asks you to enter your debit card information, social security number, driver’s license, and other personal information. You check the URL of the website, and it’s verified to be from your bank.

If you entered in your personal information, you’ve likely become a victim of a man-in the-browser attack. And it only gets more problematic from here. In this case your PC, not the bank’s website, has been compromised by malware.

What is a man-in-the-browser attack?
Man-in-the-browser attacks can be highly effective and quite difficult to detect, especially if you aren’t aware of the kind of damage they can cause. It’s important to understand these types of stealth attacks and to take steps to protect your computer—and personal information—from criminals.

The attack’s success lies in how simple it is. Of all the various security threats you can encounter by being online, the man-in-the-browser attack is arguably the most dangerous. Why? Because it co-opts your Web browser to steal confidential information such as passwords, security codes, and credit card numbers.

Like most attacks, man-in-the-browser begins with a malware infection. The malware injects itself into the Web browser and waits in stealth mode until the user visits a specific Website. At that point, the malware kicks into action, tricking the user into entering sensitive information and slurping up all the information being entered on the page. The idea is that it doesn’t matter how careful you are about scrutinizing URLs and making sure you are going to the correct Website—your Web browser cannot be trusted because it has been compromised.

How man-in-the-browser infects a Web browser
The initial malware infection can happen in a number of ways, such as tricking the user into clicking on a link, visiting a malicious site to trigger a drive-by-download attack, or opening a malicious attachment.

Once infected, the malware lies dormant, waiting for a specific Website to load in the Web browser, such as an email account, online banking, or in recent weeks, a Bitcoin-related site. Different types of malware typically have different attack targets hard-coded into its code. For example, Zeus and SpyEye generally target banking sites, but there are others that target social networking sites.

When the malware is activated, it may manipulate the page being loaded by injecting extra fields into the page to collect sensitive pieces of information, or just act as a keylogger to intercept the data. The man-in-the-browser attack can go a step further, modifying the data shown on the site, such as the account balance or hiding fraudulent money transfers so that you don’t know your money has been stolen. Whenever you go to the banking site, it looks like everything is fine.

Man-in-the-browser attacks have become popular in recent years because attackers can target a large group of victims without having to know much about the victims, or even be in the same geographic area. They have also been successful at bypassing many of the two-factor-authentication mechanisms that many financial institutions—especially in Europe—have implemented for better account security.

Protecting against man-in-the-browser attacks
It’s important to keep software, especially your Web browser and operating system, patched regularly and running the most up-to-date version. Many of the malware infections rely on users running vulnerable versions of software. Along with keeping the software updated, make sure some kind of security software is installed, up-to-date, and running. The security tool can help detect infections and get rid of them before the malware can cause any damage.

Be alert when online. If you’re asked to fill in more fields on a form than usual, or to enter information your bank or other sites normally don’t ask (especially for a “new security feature”), or if you’re asked to enter your password more frequently, these should raise some red flags.

Using browser plugins such as HTTPS Everywhere or ForceTLS can ensure that you are on a secure connection whenever the option is available, but it isn’t foolproof.

Many experts recommend using a separate system for only online banking, or other secure site usage, and never using it for shopping, browsing, or accessing social media. Others recommend using a hardened browser on a USB drive, or a Linux Live CD to prevent infected browsers from hijacking the user session.

If you suspect something is wrong with your account, contact the company by phone, or get on a different computer or device. Verify who has logged in to the account recently and your account status. There is not much end-users can do once they are hit with a man-in-the-browser attack, but keeping alert can help them detect something is wrong faster and to take steps to contain the damage.

Get ZoneAlarm Extreme Security

Get it now

6 comments on “The Man-In-The-Browser: It Hungers For Your Online Credentials

  • Hi
    What is hardened browser on a USB drive, or a Linux Live CD and how do I make or buy one for my computer?

    • José Maria Oliveira Simões says:

      You can use the Firefox with the add-ons noscript and wot. Also, I do recomend webutation. And also you can use Linux. This will make very hard for criminals to make your life a hell. The best defence is the human , which is by the back of the computer screen. You ! You have to be cautious . Be wary and always be alert .

  • Re Sam on May 14, 2014 at 10:45 am

    “What is hardened browser”?

    Good question. Its a pity that ZoneAlarm neglected to provide embedded links as at “HTTPS Everywhere” and “ForceTLS” in the preceding paragraph; however, Comodo Dragon and Comodo IceDragon should be prime candidates?

    Alternatively, take Google Chrome and Firefox. These can be improved by adding controls for JavaScript and calls for “content” from sites not listed in the browser address bar.

    With Firefox, this would indicate NoScript and RequestPolicy. Both can be a pain until they are trained to handle your usual selection of websites satisfactorily. There are other JavaScript “blockers”, but NoScript provides additional protections besides JavaScript controls.

    RequestPolicy will reveal just how much websites use third party resources for tracking and monitoring, as well as loading legitimate page content. Then there are extensions which address this tracking and monitoring. ZoneAlarm supply one such for those who are not hostile to toolbars generally, regardless of source.

    Chrome also offers JavaScript blockers, but is less supportive of the security concerns addressed by NoScript.

    Chrome has Cross-Domain Request Filter, which was inspired by RequestPolicy, and seeks to provide protection against “content” which is loaded from third party websites.

    However, both Google and Google Chrome provide privacy issues to consider. SRWare Iron is a Chrome clone which addresses these issues, but provides nothing which a tour of Google Chrome settings could minimise.

    There is software available to protect against Man-in-the-browser attacks. I would presume that ZoneAlarm are using something to address this issue, but statements to this effect are less easy to find at than at a Dutch anti-malware vendor’s website. The Wilders Security Group website has a thread which is dedicated to this software and its users.

    See also “5 Ways to Secure Your Web Browser” at this blog?

    “What is hardened browser on a USB drive, or a Linux Live CD”

    There are “ISO” files available from distributors of various species of Linux, some with the graphical user interfaces which make Windows so much more amenable than MSDOS. These are downloaded and “burnt” to CD or DVD by specialised software.

    Alternatively, these ISO files can be “mounted” by other software and their contents copied to folders in the same way that the contents of Zip files are extracted to folders on a drive. Then the contents of these folders may be modified if desired. Any browsers included with the Linux distribution probably won’t be “hardened”.

    Anti-virus and firewalls might need attention also.

    Having created an ideal set-up, these folders are then copied to the ISO file format, burnt to disk, and are then available for booting up when not using Windows, or if a second machine is available. Alternatively, a computer can have a “dual boot” set-up where, on booting up, the user has the option to choose which operating system to use.

    USB drives merely provide a more convenient and portable alternative to CDs, DVDs, and machines fitted with hard disks. Loading an operating system onto a USB drive is a whole article in itself. Try the ZoneAlarm’s forums or the Wilders Security Group website for further info, or other safe sources.

    • ZoneAlarm says:

      Hi John, We actually did embed links for HTTPS Everywhere and ForceTLS. The words itself, when click, will take you to the respective website.

  • Henry Hertz Hobbit says:

    I cannot over-emphasize the importance of using Firefox + NoScript to prevent this and other things from happening. If JavaScript is what is nailing you make sure you tighten down your security screws in Firefox to make it more difficult to happen.

    That is why I make a backup script for Linux users to backup your Firefox and Opera user folders:

    It is a template where you need to fill in your own configuration. Why is this so important? JavaScript installed into the browser is OS independent. If you ever get the browser infected you close the browser. Then you move ~/.mozilla to ~/old.mozilla, link your */backups/mozilla.7z (or tbz or other zip format) to ~/.mozilla.7z.
    Then you unzip, update your subscriptions, reimport your bookmarks (you do have backups don’t you?) and make a new fail-safe backup.

    There is a University Mathematics department that mandats Firefox + NoScript for all of the machines connected to their network. I don’t know what they do about iPhone, iPad and Android but since those are not going through their network … The people using Solaris, Linux or Macintosh may have grumbled a little bit in the past but they probably don’t say much any more.

  • Hmm it appears like your website ate my first comment
    (it was extremely long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly
    enjoying your blog. I too am an aspiring blog writer but I’m still new to the whole thing.
    Do you have any tips and hints for rookie blog writers?
    I’d really appreciate it.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.