Man-in-the-Browser Attacks

Page 1

MSc in Information Systems – Part Time, 2014-2016 Course: “Critical Information and Communication Infrastructure Protection”

Man-in-the-browser attacks

Christofilos Konstantinos (MM4140023) Gerardos Pavlos (MM4140001) Pantazaras Sokratis (MM4140013)

March 13th, 2015


Contents 1.

Introduction.......................................................................................................................................... 2

2.

From M to B .......................................................................................................................................... 3

3.

Malware distribution overview ........................................................................................................ 4

4.

The Man-in-the-browser (MITB) attack .......................................................................................... 6

4.1

Points of attack ................................................................................................................................ 6

4.2

MITB attack step-by-step............................................................................................................... 9

4.3

Famous MITB malware ................................................................................................................ 10

4.4

What makes MITB attack difficult to defend from ................................................................ 10

4.5

Defending against MITB attacks ............................................................................................... 11

5.

Variants of MITB ................................................................................................................................ 14

5.1

Clickjacking ..................................................................................................................................... 14

5.2

Boy-in-the-browser (BITB) ........................................................................................................... 16

5.3

Man-in-the-Mobile (MITMO) ....................................................................................................... 16

6

Conclusions ........................................................................................................................................ 18

7

References .......................................................................................................................................... 19

1 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


1. Introduction Internet has transformed the global economy and revolutionized the way that people interact, communicate and exchange information and goods. Users are able to easily and quickly use any kind of personal device (smartphones, tablets, laptops) in order to access online services, which also provide two-way communication; not only do they update their users but they also get updated from them (Web 2.0). One of the most commonly used services globally is Internet banking (e-banking). As of April 2012, around 423 million people worldwide accessed online banking sites, reaching 28.7 percent of total Internet users1. Only for North America and Europe, this percentage was 45% and 37.8% respectively.

Graph source: statista.com

The statistics presented above allow us to understand the importance and usability of e-banking to Internet users. They also allow us to understand why cybercriminals are interested in exploiting these services. As more and more people are accessing online banking services, they become potential targets to those who have the technical expertise and audacity to swindle them and gain personal financial benefit.

1

http://www.statista.com/statistics/233284/development-of-global-online-banking-penetration/

2 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


2. From M to B One of the most well-known types of attack against financial institutions is the Man-in-the-Middle (MITM) attack. This method is based on the attacker’s ability to intercept a legitimate user’s session with a bank's web server and use their machine (i.e. the attacker’s) as a proxy. All data would then pass through their computer, giving them complete control over it and allowing tampering without either end’s knowledge.

This method has been used for quite some time from cybercriminals. However, I.T. security engineers have managed to increase their defensive measures by the use of device identification and Risk Engines (REs). Risk engines analyse information related to every user session, like unique device IDs (UDIDs), login times and session duration. All data are then combined and analysed in order to evaluate whether such activity is reasonable/typical for that specific user (behavioural profile). If the analysis produces an alert, then the issue is escalated for further inspection. The above factors - technology (risk engines), experience (previous incidents) and maturity of Internet users (it is easier for today’s average user to identify a fraudulent website than it was some years ago), have contributed in making MITM attacks very difficult to execute successfully. For this reason, cybercriminals started to move towards a more advanced and promising method. Instead of hijacking user sessions at the network layer (during transmission of data), attackers have begun to target directly the user’s application layer, their web browser.

3 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


Trojan horses which are distributed through various well-known methods (email attachments, hyperlinks on social networks or hijacked websites) install extensions on web browsers. These extensions are able to: -

Modify what the user sees on their computer (DOM manipulation),

-

Modify and/or redirect original user data before encryption and transmission takes place. This ensures the data sent to the web banking server seems legitimate and therefore fraud cannot be detected.

-

Modify the returning transaction data upon server response, so as to present information to the user exactly as it expected to look.

3. Malware distribution overview Internet provides a wealth of information and services to every user around the world. Of course, some of the available services relate to non-legitimate purposes. Underground communities have created well-organized, online markets where users can obtain malicious software for their needs (malware-as-a-Service - MaaS). Before proceeding with the details of how a MITB attack takes place, we will describe how malware in general is distributed to computers of unsuspected users all around the world. Malware distribution involves three parts:

Malware distribution - parties involved

a) Infection Point The infection point is the method by which the malware is distributed to the target machines. There are several distribution methods like:

4 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


A hijacked website which automatically downloads and installs a trojan on the user’s computer (drive-by download).

An email attachment which contains executable code and runs when the user opens it.

A USB key which contains the malware and runs when the users connects it to their computer (autorun.inf).

A PDF document or a PowerPoint presentation with embedded script code.

b) Command and Control (C&C) Server Once the malware has been installed on the computer, instructions must be provided from the attacker about the exact actions that will be performed. These instructions are provided through configuration file and are distributed on the target machines from a Command & Control (C&C) server. they contain information such as: 

Website URLs that need to be monitored and intercepted,

Custom form fields that need to be added/changed per URL,

Drop server locations, where all the intercepted data will be sent.

The configuration files are usually encrypted/obfuscated, so as to be difficult to examine their content, and can be easily updated from the C&C server with new information, e.g. new e-banking URLs, updated form fields and drop servers. c) Drop Server The drop server is the location where all collected data from the target computers are sent. This could be a hijacked machine whose administrator/owner has no knowledge that is being used by cybercriminals, or the same C&C server that is used by the attackers.

5 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


4. The Man-in-the-browser (MITB) attack A web browser is the client-side application which communicates with remote web servers, downloads content and renders it on the user’s screen. The main concept behind the MITB attack is that the rendering of information received from the web server (i.e. how the webpage will be displayed – DOM tree) can be edited/manipulated on-thefly, in order to customize/improve the user’s experience, e.g. remove ads/banners or change colours (augmented browsing). Although there is nothing wrong with this concept, the exact same method can be used for malicious purposes; the mechanisms that can change the layout or the colors of a web page can also change the values of submitted forms in the background, while displaying whatever information their creator wants to in the user’s screen.

4.1 Points of attack Extra functionality can be inserted into web browsers in a variety of ways, depending on the browser type. Extra functionality usually aims at enhancing user experience, but fraudsters can use this capability to take control of the browser. Ways to incorporate new functions into the browser include: 

Browser Helper Objects (BHOs)

Browser helper objects are dynamically-loaded libraries (DLLs), specifically designed for Microsoft’s Internet Explorer with access to the Document Object Model (DOM). They are activated on browser start-up and provide additional functionality, e.g. the Adobe Acrobat plugin is a BHO which allows opening PDF files directly from the web browser.

6 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


List of Add-ons (BHOs) in Internet Explorer

BHOs have been extensively used by cybercriminals due to the fact that they are easily developed and run with high privileges (System account). 

Extensions

Similar functionality to BHOs for other browsers like Chrome, Firefox or Opera is carried out from extensions. Some of them, like Greasemonkey for Firefox (www.greasespot.net) act as a placeholder for custom-made user scripts. That means that Greasemonkey does not perform a specific action - like Adobe Acrobat plugin for PDF files - but instead allows any user script to run with its custom functionality –like a “dynamic”/reprogrammable extension.

List of extensions in Google Chrome

7 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


API hooking

API hooking is a complex technique which allows modification of API calls between an application (.exe) and the DLLs it dynamically loads - whether application or system. For example, on Windows machines, the Windows Internet API (wininet.dll) enables applications to interact and access Internet resources through HTTP and FTP protocols. Malware installed on a browser can - once activated - hook to various functions of wininet.dll,

e.g.

InternetConnect(),

HttpSendRequest(),

HttpOpenRequest(),

InternetReadFile() and modify the original calls.

API hooking on wininet.dll

AJAX sniffing

Another technique used for MITB attacks is AJAX sniffing. The approach this time is to hit the web server in order to collect or alter data on the client side. Web technologies have evolved rapidly in the last years, and are now able to provide high quality services with very smooth and fast functionality. In order for users to enjoy the Web 2.0 services, a “hack” was invented in order to bypass the HTTP drawbacks, like the synchronous way of requests. A technology called “Asynchronous JavaScript and XML” (AJAX) is commonly used which makes the navigation and use of a web application look and feel more like a desktop application. AJAX is based on a JavaScript object called XMLHttpRequest, which is responsible for calling URLs asynchronously in the backstage of a web site visit and is able to update specific parts or the complete page, when a response is returned. AJAX sniffing is based on that implementation and injects JavaScript code snippets in web pages that are vulnerable to XSS attacks. XSS (Cross Site Scripting) attacks exploit web server vulnerabilities and allow the attacker to inject code to a webpage via HTTP payload (POST, GET parameters). When the malicious Javascript code is injected into the web server, it overrides the XMLHttpRequest object and starts sniffing all the requests the client makes to the server. That way, it can intercept all the information that is exchanged between the client and the

8 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


server and forward the data to a remote server (drop server) where they can be used for whatever purpose the cybercriminals may want. Just imagine, modern sites logs users via AJAX calls, which means that usernames and passwords from all users can be collected, without having to install any malware on the clients. That is the worst thing about AJAX sniffing. Fortunately, this kind of attack is based on server-side exploits; therefore the main responsibility shifts to the web server’s administrator(s), who are theoretically more technically aware of the field of information system security than a normal user.

4.2 MITB attack step-by-step A detailed, step-by-step description of the MITB attack can be seen below: 1. The Trojan infects the computer's software, either at the operating system or application level (infection point). 2. The Trojan installs an extension into the browser configuration, so that it will be loaded next time the browser starts. 3. At some later time, the user restarts the browser. 4. The browser loads the extension. 5. The extension registers a handler for every page-load. 6. Whenever a page is loaded, the URL of the page is searched by the extension against a list of known sites targeted for attack. 7. The user logs in securely on to for example https://secure.ebanking.site/. 8. When the handler detects a page-load for a specific pattern in its target list (for example https://secure.original.site/account/do_transaction), it registers a button event handler. 9. When the submit button is pressed, the extension extracts all data from all form fields through the DOM interface in the browser, and remembers the values. 10. The extension modifies the values through the DOM interface. 11. The extension tells the browser to continue to submit the form to the server. 12. The browser sends the form, including the modified values, to the server. 13. The server receives the modified values in the form as a normal request. The server cannot differentiate between the original values and the modified values, or detect the changes. 14. The server performs the transaction and generates a receipt. 15. The browser receives the receipt for the modified transaction. 16. The extension detects the https://secure.ebanking.site/account/receipt URL, scans the HTML for the receipt fields, and replaces the modified data in the receipt with the original data that it remembered in the HTML. 17. The browser displays the modified receipt with the original details. 18. The user thinks that the original transaction was received by the server intact and authorized correctly.

9 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


4.3 Famous MITB malware A few of the most well-known malware which use the MITB attack method can be found below: -

Zeus/Zbot Zeus/Zbot and its variants (Zeus Gameover P2P) is probably the most well-known financial malware. It infects Windows machines and is based on the client/server model (requires a C&C server in order to organize the attack). It is able to steal private data from the infected computers such as usernames/passwords, banking credentials by injecting malicious information in the user’s web browser.

-

Carberp In 2012, the Carberp malware was reported replacing Facebook pages with fake ones which stated that the user’s account was temporarily locked. In order to unlock the account, the user had to complete a web form which included personal information like name, email, password and also pay a 20€ uKash e-voucher to confirm verification. The cash voucher would supposedly be added to the user’s Facebook main account balance but in reality, the 19-digit uKash code was transferred to the Carberp botmaster who could use it as normal cash equivalent.

Carberp’s Facebook attack

4.4 What makes MITB attack difficult to defend from Man-in-the-Browser attacks pose high risk due to the following factors: 

Infection is easy

Users are accustomed to downloading several files from the Internet, as well as regularly updating their installed applications, including their web browser and its various extensions. Software updates are usually either automatically approved – without any user intervention, or are not given enough attention (users tend to just click “Accept” on installation prompts without noticing what the dialogs/prompts state).

10 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


Detection is hard

All technical vectors involved in the MITB attack (extensions, scripts) are carefully crafted, involve advanced technical knowledge and most importantly, are installed and run only on the client-side, where normal users usually have neither the expertise nor the technical knowledge and/or mechanisms to defend themselves. Additionally, such malware is usually distributed with variations of the malicious code in order to circumvent antivirus/antispyware software installed on the client machines. 

Authentication and server-side fraud detection mechanisms are inadequate

MITB is not a phishing attack; it does not use fake data, e.g. malicious websites that resemble the real ones, in order to steal user’s information. All data that the e-banking servers receive are indeed sent from legitimate users and their machines. This means that traditional security measures like authentication (username/password) or transaction verification (by use of one-time-passwords - OTP) are rendered useless since all of this data is sent through the browser and is therefore available to tamper with by the installed malware.

4.5 Defending against MITB attacks As already stated, MITB attacks are quite advanced both in concept and technology, which means that there is no easy way to defend against them. However, there are some techniques and/or proposals which can be used against them and are presented below: 

Hardened browser

The concept of a hardened browser is based on the creation of a browser that will be able to access e-banking services without allowing any kind of external/custom-made code – which by default might be malicious (extensions/BHOs) - to load. Additionally, the application should be available for distribution as a single, static binary so as to also avoid API hooking through dynamically-called external libraries. In more detail, a hardened browser should fulfil the following requirements: O

Statically compiled – prohibit loading of dynamic libraries

O

Stripped – no compiler symbols should be available to guide the attack

O

Have additional binary-protection methods - executable should be encrypted or packed.

O

Allow only HTTPS connections – prohibit plain HTTP

o

Process monitoring for launching of executables from browser

o

Memory-space

protection

(against

key

loggers

and/or

screen

applications) o

White-list of valid e-banking websites

o

Browser can only connect to a predefined list of e-banking servers.

o

White-list of SSL certificates

11 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

capturing


o

No addition of SSL certificates is allowed

Pros + No extensive work required in order to customize and strip-down industry standard browsers (Firefox, Chrome, IE). + Can be easily distributed as an alternative/parallel installation for use only on secure ebanking sites. + Better usability than a live distribution – if an update is published, users just download the new version without need to burn new CD or re-format USB stick. Cons - Allowing only valid websites or SSL certificates based on white-lists might lead to having to continuously update the executable with new/updated information. This is obviously a not very practical and certainly quite tiring process for the end user, who would certainly prefer not to be involved. - Downloading the hardened browser is always susceptible to phishing – the user may be deceived and redirected to a website where a malicious/vulnerable version of the supposedly hardened browser is distributed.

Bootable, write-protected live distributions (live-CD/DVD)

Free/Open source software distributions of client operating systems like Knoppix are distributed freely and can be burned to a bootable, read-only media (CD/DVD). As the media is write-protected, no installation can take place permanently, which means that if the user wishes to perform an online bank transaction, a reboot will securely reset all browser settings to the defaults and will allow the user to connect to the e-banking server securely. Pros + Upon reboot, a live-CD is considered highly secured. Cons - Browsers on live-CDs also need to be updated and patched every time the user restarts the live-CD distribution, otherwise they run the risk of connecting to the web banking server insecurely. - Users don’t like to reboot their computers very often. Especially as they will have to lose all the customizations that they have made during their current session, it is quite probable that they will eventually either not reboot – which poses a security issue - or not use the live-CD distribution at all.

12 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


Out-of-band transaction verification

A popular method to counteract a MITB attack is the so called Out of Band (OOB) transaction verification. This method is based on the usage of a communication channel other than the web browser (telephone call, SMS) in which the transaction details will be verified.

Pros + Works with standard devices (mobile phones) – does not need additional hardware

Cons - Can be easily subverted as well if the verification information (phone number) is stored in the user’s account online. - OOB SMS can also be broken by Man-in-the-mobile (MITMo) attacks like ZitMo (Zeus-inthe-Mobile) and SpitMo (SpyEye-in-the-Mobile). 

Campaigning – Training for raising awareness Apart from the technical vectors, campaigns and training sessions from financial institutions and government agencies help in raising user awareness about how these attacks take place and how they could be identified. One of the more effective methods for stopping MITB is by educating Internet users on the extent of the threat. Malware has to enter the user’s computer somehow, so if users are made aware of how this can happen, it is less likely MITB will be effective. Properly maintained firewalls and scanning of all downloads will significantly reduce a user’s risk of being a victim.

13 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


5. Variants of MITB The MITB attack method is actually a family of malware components designed to exploit vulnerabilities in user browsers. Some members of the family can be classified as sub-categories in their own right. The most important of these are presented briefly below.

5.1

Clickjacking

Clickjacking was originally described by Jeremiah Grossman of WhiteHat Security fame back in 2008. The idea here is to create a layer of authenticity, under which lies a different purpose. An easy-to-understand example is given in http://www.troyhunt.com/2013/05/clickjack-attack-hiddenthreat-right-in.html. The gist of that example is described below. Assume that a user is engaged in online banking activity. They are already logged into the bank service and most probably assume that they are perfectly safe as long as this is the case. Moreover, they expect that any content displayed while they are browsing through their account and transaction information is originating from the bank service. At some point the user comes across a page which includes some sort of offering, the chance for example to win a free iPad. The user may then be tempted to give this a shot: if it comes from the bank, it must be safe. They proceed in clicking on some link, which then results in something quite different happening: perhaps an amount of money from one of their accounts is transferred to another account, which the user knows nothing about. It will probably be sometime before the user realises that something’s gone wrong. How did this happen? The usual mechanism is quite simple. Assuming the existence of a website that an attacker is interested in (we’ll refer to that as website A – the bank’s website in the previous example), and a user that has access to that website (the user engaged in web-banking), the success of this method depends on whether the attacker can trick the user into visiting a different website (website B), which is under the former’s control. If the user’s browser is running malicious BHOs or plug-ins as a result of it having been hijacked, this is quite easy. The user is directed to website B, after pointing their browser at a location of interest (as is described in the MITB section). Website B is under control of the attacker, and so the latter can render, for instance, JavaScript and multiple pages. Website A is loaded inside a separate iframe, and is initially displayed as-is to the user. The user starts their interaction with website A as normal. They log in and take care of their business as usual. They are never aware that something is wrong. At any time, the attacker can place content of their choosing on website B and overlay that content over the content of A by using a variety of ways (such as rendering the content of website A invisible). The attacker can then take advantage of the fact that the user is still actually interacting with A, but seeing something completely different on screen. In other words, the attacker is tricking the user into performing legitimate bank transactions, while the user is under the impression they are doing something completely different (such as opting for a free iPad). L. Huang et al. in their paper “Clickjacking: Attacks and Defences” classify current clickjacking attacks into 3 categories, which correspond to the ways that users are forced to issue input

14 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


commands (i.e. clicking on a link) which result in actions different than what they believe when they issue them (the phrase “out of context” is used throughout the paper to describe this situation). These categories are:

Attacks that compromise target display integrity, meaning that the user views something different than the legitimate website is actually showing, at the time when considering about clicking on a link.

Attacks that compromise pointer integrity, meaning that the feedback given from the cursor or other input device is reliable and has not been tampered with, so that the user may click on something different than they intended.

Attacks that compromise temporal integrity, meaning that the users are not given a sufficient amount of time to understand what they are clicking on and whether they’d really like to proceed.

An interesting distinction is made between clickjacking attacks, and social engineering attacks, which do not attempt to manipulate security mechanisms to breach a website’s security, but rather to manipulate people to attempt something that they normally wouldn’t do. A social engineering attack is more or less the “psychological bullying” of the user into giving out information that is of value to attackers (i.e. account numbers, e-mails, passwords), because the user is manipulated to doing so by social conventions. A simple example is a social network post which prompts the user to “like it” or interact with it by posing as an organisation for the aid of blind children. The user may just go ahead and do this to appear concerned and socially responsible to others. The problem here arises from people being naive enough to follow a social convention without verifying that the information they are dealing out is actually going to where they are expecting it to – this has nothing to do with clickjacking. The most widely used clickjacking defences today use frame-bursting. Frame-bursting refers to code provided by a webpage which prevents the page from being loaded in an iframe, as described above. The basic principle of the code is simple:

if (top.location != this.location) { top.location = self.location; } Unfortunately, frame-bursting has the major drawback of being incompatible with third-party widgets, such as “like” and “follow” buttons. Other approaches include:

 

User confirmation: The user is prompted to verify his initial action. User interface randomisation: This approach dictates that the positioning of sensitive elements (such as buttons, links, etc.) should vary every time a page is loaded.

Opaque overlay: All cross-origin frames are rendered opaquely (a technique employed by the Gazelle browser).

15 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


Evidently, these approaches suffer from their own problems. User confirmation is notorious for straining the patience of users, who feel it is burdensome to have to make multiple clicks to complete one action. Interface randomisation violates the basic principle of keeping an interface consistent so that users can grow accustomed and not get lost every time they try to interact with it. Finally, opaque overlay removes all transparency from all cross-origin elements, thus deforming many websites that are not being used for malicious purposes.

5.2

Boy-in-the-browser (BITB)

The Boy-in-the-Browser method of attack is generally considered a less-mature, dubbed-down version of the MITB attack. There are some differences between the two approaches: 

The BITB trojan redirects the traffic between the infected browser and the website of interest to a third-party site (which may even mimic the legitimate one), where most of the unauthorised processing takes place, either it consist of simply copying down the information passed or altering the ongoing transactions in some form.

BITB scripts are much simpler than MITB scripts, and therefore require fewer resources. Evolving a new BITB trojan can be a process that takes a few hours, while useful MITB trojans usually need months to mature.

BITB trojans evolve much more frequently, and therefore anti-virus programs have more difficulty catching up with the latest threats.

It is easier to locate the culprit once the attack has been recognised as a BITB attack, and shut down the third-party server collecting and processing the information.

Because of their nature, BITB trojans tend to be used for one-time hit-and-run operations. They are also used to target a greater variety of websites and are not primarily focused on financial institutions.

The basic outline of the method of operation is this: once the BITB trojan is downloaded, it starts tampering with the user system’s host file, mainly by adding new entries to it. This results in a remapping of specific addresses to others, which point to websites controlled by the attacker (these websites may be phishing sites or act as proxies to legitimate sites). As in the MITB situation, the victim is completely unaware: the URLs displayed on the browser address bar are the legitimate ones.

5.3

Man-in-the-Mobile (MITMO)

With the growth of the smartphone market, especially the Android platform, it was inevitable that cyber-attackers would eventually target mobile phones, as they now offer more opportunities than ever for information eavesdropping and related malicious activities. Indeed, with so many apps hitting the market at this pace, and which involve pretty much everything from gaming to banking to social networking, the premise is very promising for anyone who wants to gain access to sensitive data fast and easy. It is no surprise that the MITB malware family expanded to hit the new market. Around the start of 2011, S21Security detected a new, rather sophisticated, banking trojan, which they named Tatanga, written in C++ and affecting banks in Spain, United Kingdom, Germany and Portugal

16 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


using MITB functions. Almost a year later, ESET was following the progress of the same virus family (which they in turn called Gataka), commenting on their blog how surprising it was that it had received so little attention at the time, taking into account that the trojan’s stability and functionality was bound to make it popular with fraudsters in the future. In due turn, Trusteer noted soon after that a variant of the malware had finally migrated onto the Android platform. The attack is not launched at the user’s mobile at first, but rather at the user’s web browser on their desktop computer. The bait here is a new security feature that is supposed to have become available for the Android platform, which a great number of users already have installed. The user is prompted to download this app on their mobile by entering their number and submitting an online request, which will then result in a text message being sent to their phone. The SMS contains a link to install the alleged app, which is in fact the Tatanga virus. Once installed, the virus can capture all SMS traffic, thus gaining access to all sorts of sensitive information (including bank authorisation codes), which it transmits to the attackers. This method of attack is very useful in circumventing the out-of-band security mechanisms that a lot of European banks use as a verification method. The out-of-band security approach requires the use of a separate medium to act as a verification agent for online transactions launched from a personal computer. That medium is usually the user’s mobile phone, where an SMS verification code is sent, which the user can then enter at the appropriate time to verify that they are actually the party that initiated the transaction. By gaining access to the SMS communications the user’s phone participates in, the virus renders out-of-bank authentication ineffective.

17 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


6 Conclusions The MITB Trojan, along with all its variations, is yet another example of the undeniable fact that cyber-criminals have turned their attention to simple users, rather than companies and other organisations, the majority of which are now well aware of the risks of online transactions and tend to invest a lot in security measures and procedures. Individual users, on the other hand, remain at best moderately informed about the risks of using online services of any kind. They are not too familiar (or do not wish to become so) with the many pitfalls of such endeavours as online banking. Nevertheless, they make more and more use of available services, thus increasing the chances for attackers to gain profit. As a result, more services become available at a growing pace, especially in the mobile phone market. End users favour mobile applications, as they offer instant access to whatever they need, whenever they need it. The Android app market especially is a goldmine for fraudsters who want to target unsuspecting users: downloading and installing a mobile app is as easy as can be, and it seems that the notion of risk in this area has yet to become common knowledge. Clearly, this is something that has to be taken into account, and it is companies that have to take the first step: assuming that users are well-protected behind their firewalls and anti-virus platforms can bring down even the most sophisticated of security systems. Even approaches that use multiple media for authorisation (such as the out-of-band verification system) can be bypassed with the advent of mobile-targeted trojans. Raising awareness is of course imperative, but it is worrying that most users tend to believe that it is rather the companies’ responsibility to ensure secure exchange of information, and not their own.

18 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


7 References 

C. Cain, SANS Institute – “Analyzing Man-in-the-Browser (MITB) Attacks” (https://www.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks35687)

O. Eisen, 41st Parameter – “Catching the fraudulent 'Man-in-the-Middle' and 'Man-in-theBrowser'” (http://www.the41.com/sites/default/files/MITM%20and%20MITB%20Overview_41st%20Parameter.pdf)

J. Dossogne, O. Markowitch – “Online banking and man in the browser attacks: Survey of the Belgian situation” (http://www.ulb.ac.be/di/scsi/markowitch/publications/wic2010b.pdf)

M. Stahlberg, F-Secure – “The Trojan money spinner” (https://www.f-secure.com/weblog/archives/VB2007_TheTrojanMoneySpinner.pdf)

OWASP – “Man in the browser attack” (https://www.owasp.org/index.php/Man-in-the-browser_attack)

Trusteer/IBM – “How Man-in-the-Browser (MitB) Malware Works” video (http://securityintelligence.com/media/malware-man-in-the-browser-mitb-how-works-video)

ISACA – “Man in the Browser - A Threat to Online Banking” (http://www.isacajournal-digital.org/isacajournal/2013vol4?folio=16#pg18)

Almeida, Buyuksahin, Dimogerontakis, Tarhan – “Man in the browser attacks”

A. Nordbo – “Man-in-the-browser to retrieve content of SSL connections” (https://andynor.net/static/fileupload/419/S2_SoftSecTrends_Man-in-the-browser.pdf)

Wells, Hutchinson, Pierce - Edith Cowan University – “Enhanced Security for Preventing Manin-the-Middle Attacks in Authentication, Data Entry and Transaction Verification” (http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1057&context=ism)

Sood, Enbody, Michigan State University – “The Art of Cyber Bank Robbery” (http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-Sood.pdf)

T. Siebert – “Advanced Techniques in Modern Banking Trojans” (https://www.botconf.eu/wp-content/uploads/2013/12/02-BankingTrojans-ThomasSiebert.pdf)

R. Hansen, SecTheory – “Clickjacking” (http://www.sectheory.com/clickjacking.htm)

T. Hunt – “Clickjack attack - the hidden threat right in front of you” (http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html)

J. Grossman – “Clickjacking: Web pages can see and hear you” (http://jeremiahgrossman.blogspot.com.au/2008/10/clickjacking-web-pages-can-see-and-hear.html)

L. Huang, A. Moshchuk, H. J. Wang, S. Shechter, C. Jackson – “Clickjacking: Attacks and Defences” (https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CCoQFjAB&url=https%3A %2F%2Fwww.usenix.org%2Fsystem%2Ffiles%2Fconference%2Fusenixsecurity12%2Fsec12final39.pdf&ei=X58CVa3SHMavygOJ-YLYDg&usg=AFQjCNH5frH5dZ0y3LeilOA4dSLda5Y4eQ)

S. Johnson – “Social engineering attacks: Is security focused on the wrong problem?” (http://searchsecurity.techtarget.com/feature/Social-engineering-attacks-Is-security-focused-on-the-wrong-problem)

G. Rydstedt, E. Bursztein, D. Boneh, C. Jackson – “Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites” (https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=http%3A% 2F%2Fcrypto.stanford.edu%2F~dabo%2Fpubs%2Fpapers%2Fframebust.pdf&ei=VqECVfjICofOyQOr6YL4DA&usg=AFQjCNGJ N_rfw1OALYJFvaoKJ0ncxARpIw&bvm=bv.88198703,d.bGQ)

19 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


PC Tools – “The Boy-in-the-Browser is more than Just Mischievous” (http://www.pctools.com/security-news/bitb-trojan/)

Imperva – “Boy in the Browser” http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser

B. Prince – “Boy-in-the-Browser Attacks Come Out and Play” (http://www.eweek.com/security-watch/boy-in-the-browser-attacks-come-out-and-play.html)

InfoSecurity Magazine – “Man in the Browser (MITB) becomes Man in the Mobile (MITMO)” (http://www.infosecurity-magazine.com/news/man-in-the-browser-mitb-becomes-man-in-the-mobile/)

A. Klein – “Tatanga Trojan Bypasses Mobile Security to Steal Money from Online Banking Users in Germany” (http://securityintelligence.com/tatanga-trojan-bypasses-mobile-security-to-steal-money-from-online-banking-users-ingermany/#.VQKojY6Ud8F)

A. Klein – “Man-in-the-Mobile Attacks Single Out Android” (http://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/#.VQKpJY6Ud8G)

J. Boutin – “Win32/Gataka: a banking Trojan ready to take off?” (http://www.eset.com/int/about/blog/blog/article/win32gataka-a-banking-trojan-ready-to-take-off/)

20 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.