Skip to main content

What is Man-in-the-Browser (MITB) Attack?

"The only person who is going to give security and the life you want is YOU" Robert KIYOSAKI

In today's world, everyone uses the Internet, and in order to access the Internet, they must use a browser. However, cybercriminals may take advantage of the Web's benefits by exploiting its vulnerabilities. One of these methods is the "Man in the browser attack".

A man-in-the-browser (MitB) attack allows a malicious application to alter the configuration and content of web pages, manipulate data in HTTP connections, or steal sensitive data entered into the browser without the user or online service noticing anything unusual. This malicious application can be named Trojan. A Trojan can be configured to activate when a user views specified internet sites, such as online banking sites, by embedding itself in the user's browser. A man-in-the-browser trojan may capture and modify any information a user enters online in real-time once it is triggered.

The phrase "the Middle" has a fairly broad definition in network security. In this context, it refers to the domain of Man in the Middle (MitM) attacks, in which an unauthorized person intrudes in the flow of communication between two or more parties without their knowledge. The Man in the Browser (MitB) attack is a sub-type of MitM. A MitB attack is similar to a MitM attack, only it just affects your web browser rather than the entire system.

In 2005, Augusto Paes de Barros first introduced the attack at a discussion regarding emerging backdoor approaches. Philipp Guhring later coined the phrase "man-in-the-browser attack," as well as a more detailed description of the attack and potential solutions. Malware with man-in-the-browser capabilities is still a serious threat to many internet businesses today. For example, online financial and banking web services are among the most frequent targets for man-in-the-browser cyberattacks.

How Man in the Browser Attack Works?

To carry out a MitB attack, the target computer must first be infected with malware. The most common use is with Trojan Horse. A trojan can infect a victim's system in certain ways, such as visiting a malicious site, downloading and running malicious software, downloading malicious email file attachments, and plugging a USB external drive containing malware into their computer.

After being infected with the trojan, a common MitB attack usually proceeds as follows:

  1. The infection is installed as a malicious browser extension and lives in the browser.

  2. The malware keeps a list of matched URLs, and when the user visits one of them, the man-in-the-browser feature starts in.

  3. The malicious application waits until the user signs in and performs a transaction, such as transferring funds from a bank account.

  4. The malware interferes with the query and edits the data before sending it to the server, for example, by changing the receiver's bank account number using the browser's DOM (Document Object Model) interface.

  5. The man-in-the-browser infection then allows the browser to continue transferring the data to the server after the user enters values have been updated.

  6. The deceptive HTTP request is subsequently delivered to the server by the browser. However, the server has no way of detecting between a fake and a genuine request. As a result, it approves the request since it believes this is the user's true intent.

  7. The MitB malware modifies any data on the presented page to match the user's intended transaction. Everything appears to be in right, and the user confirms the transaction. At this point, even if two-factor authentication (2FA) is enabled, the user has nothing to suspect in the confirming receipt.

Man in the Browser Attack

Figure 1. How Man in the Browser Attack Works

The general capabilities of the Man-in-the-Browser(MitB) attack may be divided into four groups.

  • Stealing data: MitB's browser control allows it to capture information both passively through keylogging and aggressively through phishing. Any information typed into the infected browser is potentially exposed to the attacker, who can choose which data to steal.

  • Modifying HTML: This is known as HTML injection because it allows an attacker to change the content of a webpage before it is delivered to the browser to be interpreted. Typically, this would be used in one of two ways: first, to add extra data entry fields that ask the user to provide sensitive information beyond what a website would ordinarily request, and second, to change server responses. This is known as HTML injection because it allows an attacker to change the content of a webpage before it is delivered to the browser to be interpreted. Typically, this would be used in one of two ways: first, to add extra data entry fields that ask the user to provide sensitive information beyond what a website would ordinarily request, and second, to change server responses.

  • Modifying Outgoing Data: MitB's range of access allows it to interfere with outgoing form data that the user submits to a server, just as it can tamper with the HTML that is displayed to the user. This allows for a variety of fraudulent acts (typically in the context of online banking) with the added benefit of the request coming from a genuine user of web service and being mostly written by them.

  • Specificity of Target: All of this is only beneficial if the MitB Trojan can figure out what data it needs to tamper with or steal in the first place. The browser monitoring services in each version of MitB have access to a list of objects of interest. Attacks are chosen based on their significance, and this targeting allows the fraud to be adapted to the needs of each domain. For instance, doing HTML injection attacks without knowing what to inject and where to inject is useless.

Where MitB Attacks Are Most Commonly Used?

Man-in-the-browser attacks, in general, target websites where users do any type of transaction. Financial-oriented websites such as banks, insurance, credit card, mortgage companies are among the most attacked targets. The other most commonly used areas are; websites that charge a fee for membership or subscriptions, websites that allow people to pay bills on their platforms such as gas, electric, internet, social media websites, eCommerce websites.

These attacks are not only used to manipulate money transactions. Man-in-the-browser attacks are also used to steal information. In this case, the attacker takes information from the legitimate website's form or login pages. Inquiry forms and contact forms are both examples of forms. It is unnecessary to state that attackers quickly have all of the information entered by the user in such forms.

What are the Consequences of Man in the Browser Attack?

You should know that when the trojan infected by the attacker starts working properly on your browser, every action you do on your computer, the information on every web page you visit, all the data you have can be shared with the attacker simultaneously. MITB attacks are a worldwide threat, not limited to a single location or territory. The banking and financial industries, as well as national institutes, are primarily targeted. The top antivirus companies studied the browser attacks and found that the great majority of them were malware infections targeted at stealing money through online bank account access.

And another consequence of the MitB attack is social engineering originated. After the MitB virus has examined a user's data including much private information for a long time, cybercriminals are likely to have gathered the information they need to impersonate the victim. An attacker can use this extremely sensitive information to get credit -a process known as identity theft- or sell the identity on the black market for monetary benefit.

Is the Man in the Browser a Trojan?

The man-in-the-browser (MITB) attack makes use of a Trojan Horse (or simply a Trojan). A Trojan is malicious software that is installed in some way, generally using different social engineering techniques, and stays hidden on the user's computer, usually undetected by regular virus detection.

A proxy trojan or a password pinching trojan is another name for Man in the Browser. It combines phishing techniques with trojan horse technology, which is placed into a client's browser, to modify, collect, and/or inject extra information on websites without the knowledge of the customer or the host. An attacker can utilize a browser extension, a user script, or a Browser Helper Object(BHO) to inject a certain type of trojan horse into a user's web browser. The MitB trojan may take control of the browser by adding additional columns/fields, changing the layout of the page, altering server replies such as verification messages, and intercepting user data.

What are Trojans Used for Man-in-the-Browser Attacks?

There are many different dangerous trojans still undetected on the market. Here are some of the most well-known trojans used for MitB attacks:

  • Zeus: Zeus is a commonly utilized trojan that is used by man-in-the-browser to log keystrokes and steal forms. Phishing emails or malicious software downloads are used to get it onto the user's device. It has a great reputation as it was used in the MitB attack during the hacking of many large companies before. It is one of the most dangerous trojans used during the hacking of big companies such as Amazon, Nasa, Cisco, Bank of America.

  • OddJob: This malware is intended to carry out man-in-the-browser attacks on a banking website. It is installed in Firefox or Internet Explorer and triggered when a user visits a financial website. Even after the user has logged out of their account, it leaves the banking session active. An attacker can utilize this to obtain a valid user's real-time session ID tokens and perform financial transactions on their behalf. The most harmful aspect of this trojan is that it does not remain on the device's hard drive. As a result, anti-malware software is unable to identify it. It is controlled by the command-and-control server. A new trojan is installed every time the user accesses the banking site, and it is deleted after the transaction is completed.

  • Torpig: Torpig can scan all data handled by applications on infected PCs, including web browsers, and use DLLs injected through hooking to discover and save valuable information, such as credentials for online accounts and stored passwords. Torpig does not change outgoing data because it is primarily concerned with data theft. It does not need to mask its traces because it does not alter outgoing data, and the only HTML update it performs is to construct phishing sites.

Some other trojans used in Man-in-the-browser attacks are; URLzone, Tatanga, Carberp, Clampi, SpyEye, SilentBanker Shylock, Gozi, etc.

How to Detect Browser Attack?

It is difficult to determine whether our computer is infected with a Trojan related to the Man-in-the-browser attack. As we all know, the standard antivirus on which we rely will not always be beneficial here. The antivirus must be updated regularly. Apart from that, we should keep an eye on the sites to see if they are requesting relevant information. When you are the victim of a MitB attack, there are no new processes to detect or unusual URLs to investigate. Everything is going to look as usual.

However, there are a few minor symptoms that might raise the red flag. Although these symptoms may not be related to a MitB attack, they are still worth noting:

  • receiving a login notice from a device you're unfamiliar with;
  • your antivirus detecting malware on your computer;
  • being immediately logged out of your account,
  • and noticing that certain web page components are missing or are unnecessary.

How to Prevent Browser Attack?

MITB attacks are difficult to identify and thereby protect against. Man-in-the-browser trojans are changing all the time, but you may protect yourself by being watchful and using some technical tools. You can use the following methods to prevent MitB attacks:

  • It's a good idea to keep an eye on your browser's add-ons and task managers at all times. Check the Background Process for any unfamiliar background processes, then perform a web search to learn more about them.

  • One strategy to reduce the threat is to harden or make a browser "more" secure. Make sure you disable third-party flash cookies if you're using Adobe Flash Player (which is installed by default in most modern browsers). If Java isn't being actively utilized by a user, the next step is to remove it. The hardening procedures vary depending on the browser. Adobe and Java are being used to target the majority of MitBs.

  • Installing some ad block applications and antivirus programs would be preventive also. Some man-in-the-browser trojans can be detected and removed with antivirus software. Use antivirus software to scan your gadgets regularly. If it detects anything suspicious being downloaded from the internet, certain antiviruses will display a security dialogue box. Adblock examples; Adblock Plus, BitDefender TrafficLight, Web of Trust, etc.

  • On your computer, a large number of MitB trojans might be found in the same spot. Look through the following directories for any unfamiliar programs. Do search on the internet and scan it with antivirus software if you come across something strange. Some of the directories you should look at are as follows: C:/Program File, C:/Program Files (x86), C:/Windows/Temp.

  • Using "Out-of-Band Authentication" can be preventive for MitB attacks. The browser is not utilized in this approach for two-factor or multi-factor authorization (MFA). Instead, the one-time password (OTP) or secret pin is delivered through SMS or an automated phone call from a mobile phone. The OTP is included in the SMS or phone call, along with all other transaction information. However, the user must be cautious and double-check all information obtained by SMS/phone calls before entering the OTP into the browser.

  • Using unwriteable operation systems also be another way for preventing MitB attacks. There are some open-source operating system distributions that only work on read-only external drives. Such as, Knoppix(Linux), BartPE(Windows). This enables the client to start up safely and reboot securely whenever necessary. A client receives a very high-security level, indicating that it can likely survive all threats presently validated. It has some cons by the way. The consumers' inability to reset their computers is a serious usability issue. For many consumers, missing one to three minutes and entirely halting their productivity will be intolerable.

  • Another method of protection is to install a secure virtual operating system on the user's computer. The advantages of utilizing a virtual computer are its low cost and ease of operation. It also increases the difficulty of carrying off MiTB attacks effectively.

  • Try to be beware of Phishing Emails. Phishing emails are one of the most common methods for the man-in-the-browser trojan to proliferate. To guarantee emails are sent from the legitimate company's domain name, always check the email headers and sender's email address. Download any attachments from emails only after running them with a trusted antivirus program. Before you click on a link in an email, hover your cursor over the link to see where it leads.

No method can be said to be 100 percent effective, but we can implement other security measures to minimize the impact of a MitB attack. Other preventive tips are; Enable your firewall and keep it up-to-date, back up your PC regularly and the best course of action is to stay away from trojans in the first place.

Can SSL Protect Against MiTB?

An SSL certificate aims to protect data transfer between the browser and the website's server. It encrypts the session key via public key infrastructure (PKI) technology with up to a 256-bit encryption algorithm. However, the protection provided by an SSL certificate is on the network side, whereas man-in-the-browser attacks are carried out on the application side. Even before the data passes across the encrypted SSL/TLS communication tunnel, the trojan modifies it on the browser layer.

As a result, SSL cannot prevent man-in-the-browser attacks since the data is already changed before it is passed over to the SSL technology's encrypted tunnel.

What is Man in the Browser Attack Example?

There are several examples of man-in-the-browser malware and attack operations aimed at online banking and other internet services.

  • In 2015, Victims were provided URLs to phishing websites that looked like Facebook and YouTube and asked them to install video player extensions that included harmful code, Andrey. Once deployed, browser-based malware replicates and spreads the browser environment, making it ideal for malicious web injection.

  • A single malware attack has cost a Swedish bank between seven and eight million Swedish krone. They targeted 400 banks by using Silent Banker trojan.

  • A security breach at Card Systems Solutions resulted in the exposure of 40 million credit card account information. Sumitomo's custom key loggers gave attackers IDs and passwords that allowed them to transfer $423 million out of the bank.

  • In 2016, after reportedly spending months within NASA's internal network, members of the AnonSec hacking organization were able to release over 276GB of data. Drone data and upper-atmosphere chemical samples were not initially a priority for NASA.

What is the Difference Between MITM and MITB?

There are several differences between these two attacks.

-A MitB attack is comparable to a MitM attack in terms of effectiveness. Only the MitB attack is limited to your web browser rather than the entire system. That doesn't make it any less dangerous, though.

-The Man-in-the-Browser attack is similar to the Man-in-the-Middle attack, except the interception is done at the application layer by exploiting browser vulnerabilities. MitM works at the network layer, whereas MitB works at the application layer, which is the browser. This implies that the MitB attack can succeed regardless of whether or not the site you're viewing is secured with SSL.

-Man-in-the-Middle (MITM) attacks employ a proxy to connect two systems that are performing a transaction. Using a proxy, an attacker can trick a victim into entering their credentials into the attacker's site, revealing critical information. Man-in-the-Browser attacks, by the way, can spread to several systems at the same time via phishing links or hijacked legitimate sites. By clicking on a link, trojan software and add-ons can be installed into an unprotected browser.