Form grabbing is a form of
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
to avoid HTTPS
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
. This method is more effective than
keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste.
["Capturing Online Passwords and Antivirus."](_blank)
Web log post. Business Information Technology Services, 24 July 2013. It can then sort the information based on its variable names, such as
email
Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" meant ...
, account name, and
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
. Additionally, the form grabber will log the
URL and title of the website the data was gathered from.
[Graham, James, Richard Howard, and Ryan Olson. Cyber Security Essentials. Auerbach Publications, 2011. Print.]
History
The method was invented in 2003 by the developer of a variant of a
trojan horse
The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
called Downloader.Barbew, which attempts to download Backdoor.Barbew from the Internet and bring it over to the local system for execution. However, it was not popularized as a well known type of
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
attack until the emergence of the infamous banking trojan
Zeus
Zeus or , , ; grc, Δῐός, ''Diós'', label=Genitive case, genitive Aeolic Greek, Boeotian Aeolic and Doric Greek#Laconian, Laconian grc-dor, Δεύς, Deús ; grc, Δέος, ''Déos'', label=Genitive case, genitive el, Δίας, ''D ...
in 2007. Zeus was used to steal banking information by man-in-the-browser
keystroke logging
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
and form grabbing. Like Zeus, the Barbew trojan was initially spammed to large numbers of individuals through e-mails masquerading as big-name banking companies. Form grabbing as a method first advanced through iterations of Zeus that allowed the module to not only detect the grabbed form data but to also determine how useful the information taken was. In later versions, the form grabber was also privy to the website where the actual data was submitted, leaving sensitive information more vulnerable than before.
Known occurrences
A trojan known as Tinba (
Tiny Banker Trojan
Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by estab ...
) has been built with form grabbing and is able to steal online banking credentials and was first discovered in 2012. Another program called
Weyland-Yutani BOT was the first software designed to attack the
macOS
macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...
platform and can work on
Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...
. The web injects templates in Weyland-Yutani BOT were different from existing ones such as
Zeus
Zeus or , , ; grc, Δῐός, ''Diós'', label=Genitive case, genitive Aeolic Greek, Boeotian Aeolic and Doric Greek#Laconian, Laconian grc-dor, Δεύς, Deús ; grc, Δέος, ''Déos'', label=Genitive case, genitive el, Δίας, ''D ...
and
SpyEye.
Another known version is British Airways breach in September 2018. In the British Airways’ case, the organizations’ servers appeared to have been compromised directly, with the attackers modifying one of the JavaScript files (Modernizr JavaScript library, version 2.6.2) to include a PII/credit card logging script that would grab the payment information and send the information to the server controlled by the attacker hosted on “
om” domain with an SSL certificate issued by “Comodo” Certificate Authority.
The British Airways mobile application also loads a webpage built with the same CSS and JavaScript components as the main website, including the malicious script installed by Magecart. Thus, the payments made using the British Airways mobile app were also affected.
Countermeasures
Due to the recent increase in keylogging and form grabbing,
antivirus
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
companies are adding additional protection to counter the efforts of key-loggers and prevent collecting passwords. These efforts have taken different forms varying from antivirus companies, such as safepay, password manager, and others.
To further counter form grabbing, users' privileges can become limited which would prevent them from installing
Browser Helper Object
A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most B ...
s (BHOs) and other form grabbing software. Administrators should create a list of malicious
servers to their
firewalls.
New countermeasures, such as using
Out-of-band
Out-of-band activity is activity outside a defined telecommunications frequency band, or, metaphorically, outside of any primary communication channel. Protection from falsing is among its purposes.
Examples General usage
* Out-of-band agreement ...
communication, to circumvent form grabbers and
Man-in-the-browser
Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify tra ...
are also emerging; examples include FormL3SS.;
those that circumvent the threat use a different communication channel to send the sensitive data to the trusted server. Thus, no information is entered on the compromised device. Alternative Initiatives such a
Fideliususe added hardware to protect the input/output to the compromised or believed compromised device.
See also
*
Keystroke logging
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
*
Malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
*
Trojan horse
The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
*
Web security exploits
Web most often refers to:
* Spider web, a silken structure created by the animal
* World Wide Web or the Web, an Internet-based hypertext system
Web, WEB, or the Web may also refer to:
Computing
* WEB, a literate programming system created by ...
*
Computer insecurity
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Internet privacy
Internet privacy involves the right or mandate of personal privacy concerning the storing, re-purposing, provision to third parties, and displaying of information pertaining to oneself via Internet. Internet privacy is a subset of data privacy. Pr ...
*
Tiny Banker Trojan
Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by estab ...
References
{{Malware
Hacking (computer security)
Types of malware
Web security exploits