Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet

threat A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...

related to man-in-the-middle (MITM), is a proxy

Trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...

that infects a

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...

by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as

SSL SSL may refer to: Entertainment * RoboCup Small Size League, robotics football competition * ''Sesame Street Live'', a touring version of the children's television show * StarCraft II StarLeague, a Korean league in the video game Natural language ...

/ PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although

SMS Short Message/Messaging Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text ...

verification can be defeated by man-in-the-mobile (MitMo)

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...

infection on the

mobile phone A mobile phone, cellular phone, cell phone, cellphone, handphone, hand phone or pocket phone, sometimes shortened to simply mobile, cell, or just phone, is a portable telephone that can make and receive calls over a radio frequency link whi ...

. Trojans may be detected and removed by antivirus software; this approach scored a 23% success rate against

Zeus Zeus or , , ; grc, Δῐός, ''Diós'', label= genitive Boeotian Aeolic and Laconian grc-dor, Δεύς, Deús ; grc, Δέος, ''Déos'', label= genitive el, Δίας, ''Días'' () is the sky and thunder god in ancient Greek relig ...

in 2009 and still low rates in a 2011 report. The 2011 report concluded that additional measures on top of antivirus software were needed. A related, simpler attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a survey considered MitB to be the greatest threat to

online banking Online banking, also known as internet banking, web banking or home banking, is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial ins ...

Description

The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds". The name "man-in-the-browser" was coined by Philipp Gühring on 27 January 2007. A MitB Trojan works by using common facilities provided to enhance browser capabilities such as

Browser Helper Object A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most ...

s (a feature limited to

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems (in ...

browser extension A browser extension is a small software module for customizing a web browser. Browsers typically allow a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web ...

s and user scripts (for example in

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...

Antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

can detect some of these methods. In a nutshell example exchange between user and host, such as an Internet banking funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.

Examples

Examples of MitB threats on different

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...

s and

Protection

Antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

Known Trojans may be detected, blocked, and removed by antivirus software. In a 2009 study, the effectiveness of antivirus against Zeus was 23%, and again low success rates were reported in a separate test in 2011. The 2011 report concluded that additional measures on top of antivirus were needed.

Hardened software

* Browser security software: MitB attacks may be blocked by in-browser security software such as Cymatic.io,

Trusteer Trusteer is a Boston-based computer security division of IBM, responsible for a suite of security software. Founded by Mickey Boodaei and Rakesh K. Loonkar, in Israel in 2006, Trusteer was acquired in September 2013 by IBM for $1 billion. Trust ...

Rapport for

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...

and

Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lap ...

, which blocks the APIs from browser extensions and controls communication. * Alternative software: Reducing or eliminating the risk of malware infection by using portable applications or using alternatives to

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, whi ...

, or mobile OSes Android, iOS,

ChromeOS ChromeOS, sometimes stylized as chromeOS and formerly styled as Chrome OS, is a Linux-based operating system designed by Google. It is derived from the open-source ChromiumOS and uses the Google Chrome web browser as its principal user interfa ...

Windows Mobile Windows Mobile is a discontinued family of mobile operating systems developed by Microsoft for smartphones and personal digital assistants. Its origin dated back to Windows CE in 1996, though Windows Mobile itself first appeared in 2000 as Pock ...

Symbian Symbian is a discontinued mobile operating system (OS) and computing platform designed for smartphones. It was originally developed as a proprietary software OS for personal digital assistants in 1998 by the Symbian Ltd. consortium. Symbian OS ...

, etc., and/or browsers Chrome or

Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libr ...

. Further protection can be achieved by running this alternative OS, like Linux, from a non-installed

live CD A live CD (also live DVD, live disc, or live operating system) is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading f ...

, or

Live USB A live USB is a portable USB-attached external data storage device containing a full operating system that can be booted from. The term is reminiscent of USB flash drives but may encompass an external hard disk drive or solid-state drive, ...

. * Secure Web Browser: Several vendors can now provide a two-factor security solution where a Secure Web Browser is part of the solution. In this case, MitB attacks are avoided, as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine.

Out-of-band transaction verification

A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example, an automated telephone call,

, or a dedicated

mobile app A mobile application or app is a computer program or software application designed to run on a mobile device such as a phone, tablet, or watch. Mobile applications often stand in contrast to desktop applications which are designed to run on d ...

with graphical cryptogram. OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g.

landline A landline (land line, land-line, main line, home phone, fixed-line, and wireline) is a telephone connection that uses metal wires or optical fiber telephone line for transmission, as distinguished from a mobile cellular network, which us ...

, etc.) and requires no additional hardware devices, yet enables three-factor authentication (using voice

biometrics Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify i ...

), transaction signing (to non-repudiation level), and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

Man-in-the-Mobile

Mobile phone A mobile phone, cellular phone, cell phone, cellphone, handphone, hand phone or pocket phone, sometimes shortened to simply mobile, cell, or just phone, is a portable telephone that can make and receive calls over a radio frequency link whi ...

mobile Trojan spyware man-in-the-mobile (MitMo) can defeat OOB SMS transaction verification. * ZitMo (Zeus-In-The-Mobile) is not a MitB Trojan itself (although it performs a similar proxy function on the incoming SMSes), but is mobile

suggested for installation on a mobile phone by a Zeus-infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on

, Android,

, and

BlackBerry The blackberry is an edible fruit produced by many species in the genus ''Rubus'' in the family Rosaceae, hybrids among these species within the subgenus ''Rubus'', and hybrids between the subgenera ''Rubus'' and ''Idaeobatus''. The taxonomy ...

. ZitMo may be detected by Antivirus running on the mobile device. * SpitMo (SpyEye-In-The-Mobile, SPITMO) is similar to ZitMo.

Web fraud detection

Web Fraud Detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions.

Related attacks

Proxy trojans

Keyloggers are the most primitive form of proxy trojans, followed by browser-session recorders that capture more data, and lastly MitBs are the most sophisticated type.

Man-in-the-middle

SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.

Boy-in-the-browser

A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.

Clickjacking

Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.

DDoS over Wi-Fi and related exploits

Some phones and tablets in current use have a known vulnerability to DDoS over Wi-Fi, and this has been documented on certain Android phones. The vulnerability is that if an attacker detects that someone is using sharing, it is possible to target the phone or tablet directly using a packet collision similar to the one found on LAN networks requiring guessing the device sharing password using a rainbow table and cloning the SSID, thus forcing a reboot after enough data has built up in RAM causing a buffer overflow. During this narrow window, malicious software can be used to install a rootkit or other malware over the diagnostics OTA channel before the antivirus has a chance to load in a similar way to how sideloading over USB works. It appears that there is no defense at present other than not using sharing or changing the password after a short random interval, e.g. WPA2-TKIP, which not all devices support. WPA3-OTP may be a solution if a sufficiently large memory at both ends is used, e.g. 400 GB.

References

External links

Virus attack on HSBC Transactions with OTP Device

Virus attack on ICICI Bank Transactions

Virus attack on Citibank Transactions

Hackers outwit online banking identity security systems
BBC Click
Antisource - ZeuS
A summary of ZeuS as a Trojan and Botnet, plus vector of attacks * Entrust President and CEO Bill Conner * The Zeus toolkit, Symantec Security Response
How safe is online banking? Audio
BBC Click * Imperva {{Web browsers Computing culture Computing terminology Hacking (computer security) Social engineering (computer security) Trojan horses Web security exploits