The Man-in-the-Browser Attack: Why No One is Safe When Banking Online

When was the last time you heard about a bank robbery? I don’t mean some drug addict needing some quick money and pretending to have a gun. I mean a well-planned bank robbery with masks, guns, and getaway cars. My guess is you haven’t heard of one lately. The reason is that it is now far easier to rob a bank from the comfort of your own home. With the proper tools, you can not only rob a bank, but you can be pretty sure you can get away with it. No more looking over your shoulder to see if the police are after you, no worries about a getaway car getting stopped in traffic, and no worries about getting shot by a security guard. Come to think of it, when was the last time you actually went to the bank to do your banking? If you’re like most people, you’re probably doing all of your banking transactions online. If so, you are simply waiting to be a victim of what is termed ‘The Man-in-the-Browser (MitB)’ attack, and there is very little you can do about it. Welcome to the modern age of bank robbery.

Under the control of an MitB attack, the victim will see nothing that is suspicious. They may go to their banking site, perform a transaction, and get the normal message from the site confirming that the transaction has been performed. Even if the bank has two-factor authentication, the attacker will have no problem circumventing it. Only later, when the victim checks their balance, will they find that they have far less money than they thought they had. By then, the attacker may have removed any evidence that they were ever hiding in the browser. They are untraceable.

So how does this attack start in the first place? The answer is, much the same as most attacks. The victim is persuaded to click on some link or file which installs malware, or the victim visits an infected web site which does the same. The Man-in-the-Browser attack is similar to a Man-in-the-Middle (MitM) attack but different in one very significant way. The MitM attack intercepts communications between the victim and a third party, thereby capturing passwords and other important information without the victim realizing it. Sensitive information is channeled through the attacker’s computer and analyzed before being sent on its way to the site it was originally intended for. With an MitB attack, on the other hand, the attacker is actually ‘in’ the browser. The attacker can go wherever the victim goes. The diagram below from the the Sans Institute report on MitB attacks may help to clarify the difference.

man in browser.

Notice that the attacker in an MitB attack has the power to alter information at the destination site, something an MitM attacker cannot do.

Here is how a typical attack can occur. Let’s say you log onto your banking site to pay your phone bill. You perform the transaction in the normal way and get the usual report that the transaction has been executed. On the surface, it’s business as usual. However, the attacker has simply siphoned your input into another file so that they can use it to make your transaction confirmation look legitimate. They are, at the same time, probably transferring money into their own account. To the bank, the transaction seems to be coming from your legitimate computer, because it is. The bank has no reason to suspect that this isn’t your real transaction. If they do some two-factor authentication, like confirming the transaction with an SMS, this, too, can be circumvented by the attacker. Once inside your bank account, they may be able to find and alter the information necessary for two-factor authentication. They may have the bank send the SMS to their own phone, for example, while sending a fake, but realistic looking, SMS to the victim. Worst of all, the attacker may be able to manipulate the victim’s account information page to keep the balance looking realistic and the victim unsuspecting. Basically, it’s your worst nightmare.

Now, you may think that normal antivirus programs should be able to detect this malware. But, without going into technical details, the MitB attack will compromise the browser through use of extensions (add-ons, browser helper objects (BHO), etc.). Alterations in the browser can be accomplished because of the high privileges given to its use. Changes in it are not usually considered suspicious. The malware can also be used to alter registry settings to short-circuit antivirus detection and cause the malware in the browser to install at startup. In addition, the malware can be programmed to run only when certain sites, such as banking sites, are visited. The malware in the browser can remain hidden or encrypted, and any cookies or other identification can be wiped clean after it has accomplished its goal. It can also update itself and evolve from time to time to make its detection even more problematic.

The most famous, or infamous, member of the MitB malware family is Zeus. It continues to successfully compromise individuals on a daily basis. However, recently, researchers have seen several new variants of Zeus causing problems. One, called Shylock, seems to be even better at hiding itself than Zeus. The appearance of these new variants might help explain why, according to the Identity Theft Report website, financial and credit attacks have increased more than attacks on any other sector this year – up 52.5% over last year. This despite the fact that the UK’s National Crime Agency (NCA) and the FBI teamed up to take down both Zeus and Shylock command and control (C&C) servers last year.

So what, if anything, can you do to prevent yourself becoming a victim of a Man-in-the-Browser attack? According to the Sans Institute report, “there is no clear method in which to prevent MITB attacks beyond in-depth monitoring and prevention on the endpoint.” You could shut down your browser to any add-ons, but that may not be practical for most people. Oddly, Windows 10, with its Edge browser, does not, at least at this time, permit add-ons for security reasons. That can be either good or bad depending on how you use your browser. Some banks are offering free anti-MitB software, but this vector could be used by attackers to trick users, via phishing emails, into installing MitB malware. In the worst case scenario, you could simply use your actual bank and forget about online banking entirely, although that does seem a bit drastic.

Unfortunately, that’s not the end of the bad news. The very effectiveness of MitB malware means that it could be used to steal just about anything that the attacker wants. Not only can they circumvent two-factor authentication, the attacker can also circumvent any security that companies or institutions use to protect their networks. So far, the MitB attacker’s focus has been on financial gain, but there is no reason why nation state attackers, for example, couldn’t ride a user’s browser right into the heart of a company’s network and take whatever information they might need and never even be detected. In fact, some security experts expect that Man-in-the-Browser attacks will evolve for this very purpose and will markedly increase in the future.


WorkPlay Technology’s solution for Man-in-the-Browser Attacks: A company is usually not be able to control what happens in an employee’s browser. Employees may and will become victims of MitB attacks and, when they visit the corporate network, expose sensitive company data and information to attack by criminals, competitors, or nation-states. WorkPlay Technology divides any device (smartphone, tablet, or computer) into two virtual devices, each with their own operating systems. In other words, nothing that happens on the ‘play’ or personal side of the device can cross the hardware barrier to deploy its evil on the ‘work’ side. Man-in-the-Browser malware is short-circuited at the barrier and your company data is kept safe.

3 thoughts on “The Man-in-the-Browser Attack: Why No One is Safe When Banking Online

  1. I wonder how this sits in relation to current UAM technology, in that the malicious browser actions might not be visible as monitor-able user activity. Do we need to monitor browser API’s (DOM and the ones used by add-ons and plugins)? Do we need browsers with API logging of some sort?


  2. I’m sorry, but this is an irresponsible and misleading article aimed at instilling FUD to sell a product. By leaving out important information you are not giving the whole story. Important information such as explaining that two factor authentication using SMS is not the most secure method of 2FA. This is because there are multiple methods of spoofing an SMS, especially if an attacker is successful in compromising your phone (which is certainly a possibility if you have Android). But using an authenticator App such as Google Authenticator or Symantec VIP, or others that are time and algorithm based, it will be much more difficult to compromise your important financial data. Of course these technologies need to be employed by your financial institutions. Secondly, many people now use a native Smart Phone App to access their banking and this therefore reduces the use of browser technology as a means of accessing banking information.
    Whilst the situation is still not great, I don’t support the use of sensational language to instill fear with an aim of financial gain. Education is a much better approach.


    1. I was not sure whether to allow this comment or not as it could have been an indirect way to sell some product or service. It happens a lot on blogs but that’s just part of marketing, I suppose. The purpose of the article was not to give a detailed account of two-factor authentication but only how it could be circumvented through man-in-the-browser attacks. Maybe I can focus on various types of two-factor authentication in a future post. However, I would be suspicious of anyone who said a specific type of two-factor authentication was foolproof. After all, even Google Authenticator has been hacked.

      I was amused by your comment that it is unnecessary to “instill fear”. As anyone in security knows, you can’t be paranoid enough. I’m sure you rely on the fears of your customers because if everyone felt safe they would use no security at all. I do promote the use of WorkPlay Technology because I sincerely believe it is the best hardware-based security available. Why should someone be surprised that a blog connected to a company would not support that company?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s