Imagine you’re trying to log into your online banking account. Rather than being directed to the page you’ve requested after entering in your User ID and password, an additional field appears and asks you to enter your debit card information, social security number, driver’s license, and other personal information. You check the URL of the website, and it’s verified to be from your bank.
If you entered in your personal information, you’ve likely become a victim of a man-in the-browser attack. And it only gets more problematic from here. In this case your PC, not the bank’s website, has been compromised by malware.
What is a man-in-the-browser attack?
Man-in-the-browser attacks can be highly effective and quite difficult to detect, especially if you aren’t aware of the kind of damage they can cause. It’s important to understand these types of stealth attacks and to take steps to protect your computer—and personal information—from criminals.
The attack’s success lies in how simple it is. Of all the various security threats you can encounter by being online, the man-in-the-browser attack is arguably the most dangerous. Why? Because it co-opts your Web browser to steal confidential information such as passwords, security codes, and credit card numbers.
Like most attacks, man-in-the-browser begins with a malware infection. The malware injects itself into the Web browser and waits in stealth mode until the user visits a specific Website. At that point, the malware kicks into action, tricking the user into entering sensitive information and slurping up all the information being entered on the page. The idea is that it doesn’t matter how careful you are about scrutinizing URLs and making sure you are going to the correct Website—your Web browser cannot be trusted because it has been compromised.
How man-in-the-browser infects a Web browser
The initial malware infection can happen in a number of ways, such as tricking the user into clicking on a link, visiting a malicious site to trigger a drive-by-download attack, or opening a malicious attachment.
Once infected, the malware lies dormant, waiting for a specific Website to load in the Web browser, such as an email account, online banking, or in recent weeks, a Bitcoin-related site. Different types of malware typically have different attack targets hard-coded into its code. For example, Zeus and SpyEye generally target banking sites, but there are others that target social networking sites.
When the malware is activated, it may manipulate the page being loaded by injecting extra fields into the page to collect sensitive pieces of information, or just act as a keylogger to intercept the data. The man-in-the-browser attack can go a step further, modifying the data shown on the site, such as the account balance or hiding fraudulent money transfers so that you don’t know your money has been stolen. Whenever you go to the banking site, it looks like everything is fine.
Man-in-the-browser attacks have become popular in recent years because attackers can target a large group of victims without having to know much about the victims, or even be in the same geographic area. They have also been successful at bypassing many of the two-factor-authentication mechanisms that many financial institutions—especially in Europe—have implemented for better account security.
Protecting against man-in-the-browser attacks
It’s important to keep software, especially your Web browser and operating system, patched regularly and running the most up-to-date version. Many of the malware infections rely on users running vulnerable versions of software. Along with keeping the software updated, make sure some kind of security software is installed, up-to-date, and running. The security tool can help detect infections and get rid of them before the malware can cause any damage.
Be alert when online. If you’re asked to fill in more fields on a form than usual, or to enter information your bank or other sites normally don’t ask (especially for a “new security feature”), or if you’re asked to enter your password more frequently, these should raise some red flags.
Using browser plugins such as HTTPS Everywhere or ForceTLS can ensure that you are on a secure connection whenever the option is available, but it isn’t foolproof.
Many experts recommend using a separate system for only online banking, or other secure site usage, and never using it for shopping, browsing, or accessing social media. Others recommend using a hardened browser on a USB drive, or a Linux Live CD to prevent infected browsers from hijacking the user session.
If you suspect something is wrong with your account, contact the company by phone, or get on a different computer or device. Verify who has logged in to the account recently and your account status. There is not much end-users can do once they are hit with a man-in-the-browser attack, but keeping alert can help them detect something is wrong faster and to take steps to contain the damage.