When was the last time you heard about a bank robbery? I don’t mean some drug addict needing some quick money and pretending to have a gun. I mean a well-planned bank robbery with masks, guns, and getaway cars. My guess is you haven’t heard of one lately. The reason is that it is now far easier to rob a bank from the comfort of your own home. With the proper tools, you can not only rob a bank, but you can be pretty sure you can get away with it. No more looking over your shoulder to see if the police are after you, no worries about a getaway car getting stopped in traffic, and no worries about getting shot by a security guard. Come to think of it, when was the last time you actually went to the bank to do your banking? If you’re like most people, you’re probably doing all of your banking transactions online. If so, you are simply waiting to be a victim of what is termed ‘The Man-in-the-Browser (MitB)’ attack, and there is very little you can do about it. Welcome to the modern age of bank robbery.
Under the control of an MitB attack, the victim will see nothing that is suspicious. They may go to their banking site, perform a transaction, and get the normal message from the site confirming that the transaction has been performed. Even if the bank has two-factor authentication, the attacker will have no problem circumventing it. Only later, when the victim checks their balance, will they find that they have far less money than they thought they had. By then, the attacker may have removed any evidence that they were ever hiding in the browser. They are untraceable.
So how does this attack start in the first place? The answer is, much the same as most attacks. The victim is persuaded to click on some link or file which installs malware, or the victim visits an infected web site which does the same. The Man-in-the-Browser attack is similar to a Man-in-the-Middle (MitM) attack but different in one very significant way. The MitM attack intercepts communications between the victim and a third party, thereby capturing passwords and other important information without the victim realizing it. Sensitive information is channeled through the attacker’s computer and analyzed before being sent on its way to the site it was originally intended for. With an MitB attack, on the other hand, the attacker is actually ‘in’ the browser. The attacker can go wherever the victim goes. The diagram below from the the Sans Institute report on MitB attacks may help to clarify the difference.
Notice that the attacker in an MitB attack has the power to alter information at the destination site, something an MitM attacker cannot do.
Here is how a typical attack can occur. Let’s say you log onto your banking site to pay your phone bill. You perform the transaction in the normal way and get the usual report that the transaction has been executed. On the surface, it’s business as usual. However, the attacker has simply siphoned your input into another file so that they can use it to make your transaction confirmation look legitimate. They are, at the same time, probably transferring money into their own account. To the bank, the transaction seems to be coming from your legitimate computer, because it is. The bank has no reason to suspect that this isn’t your real transaction. If they do some two-factor authentication, like confirming the transaction with an SMS, this, too, can be circumvented by the attacker. Once inside your bank account, they may be able to find and alter the information necessary for two-factor authentication. They may have the bank send the SMS to their own phone, for example, while sending a fake, but realistic looking, SMS to the victim. Worst of all, the attacker may be able to manipulate the victim’s account information page to keep the balance looking realistic and the victim unsuspecting. Basically, it’s your worst nightmare.
Now, you may think that normal antivirus programs should be able to detect this malware. But, without going into technical details, the MitB attack will compromise the browser through use of extensions (add-ons, browser helper objects (BHO), etc.). Alterations in the browser can be accomplished because of the high privileges given to its use. Changes in it are not usually considered suspicious. The malware can also be used to alter registry settings to short-circuit antivirus detection and cause the malware in the browser to install at startup. In addition, the malware can be programmed to run only when certain sites, such as banking sites, are visited. The malware in the browser can remain hidden or encrypted, and any cookies or other identification can be wiped clean after it has accomplished its goal. It can also update itself and evolve from time to time to make its detection even more problematic.
The most famous, or infamous, member of the MitB malware family is Zeus. It continues to successfully compromise individuals on a daily basis. However, recently, researchers have seen several new variants of Zeus causing problems. One, called Shylock, seems to be even better at hiding itself than Zeus. The appearance of these new variants might help explain why, according to the Identity Theft Report website, financial and credit attacks have increased more than attacks on any other sector this year – up 52.5% over last year. This despite the fact that the UK’s National Crime Agency (NCA) and the FBI teamed up to take down both Zeus and Shylock command and control (C&C) servers last year.
So what, if anything, can you do to prevent yourself becoming a victim of a Man-in-the-Browser attack? According to the Sans Institute report, “there is no clear method in which to prevent MITB attacks beyond in-depth monitoring and prevention on the endpoint.” You could shut down your browser to any add-ons, but that may not be practical for most people. Oddly, Windows 10, with its Edge browser, does not, at least at this time, permit add-ons for security reasons. That can be either good or bad depending on how you use your browser. Some banks are offering free anti-MitB software, but this vector could be used by attackers to trick users, via phishing emails, into installing MitB malware. In the worst case scenario, you could simply use your actual bank and forget about online banking entirely, although that does seem a bit drastic.
Unfortunately, that’s not the end of the bad news. The very effectiveness of MitB malware means that it could be used to steal just about anything that the attacker wants. Not only can they circumvent two-factor authentication, the attacker can also circumvent any security that companies or institutions use to protect their networks. So far, the MitB attacker’s focus has been on financial gain, but there is no reason why nation state attackers, for example, couldn’t ride a user’s browser right into the heart of a company’s network and take whatever information they might need and never even be detected. In fact, some security experts expect that Man-in-the-Browser attacks will evolve for this very purpose and will markedly increase in the future.
WorkPlay Technology’s solution for Man-in-the-Browser Attacks: A company is usually not be able to control what happens in an employee’s browser. Employees may and will become victims of MitB attacks and, when they visit the corporate network, expose sensitive company data and information to attack by criminals, competitors, or nation-states. WorkPlay Technology divides any device (smartphone, tablet, or computer) into two virtual devices, each with their own operating systems. In other words, nothing that happens on the ‘play’ or personal side of the device can cross the hardware barrier to deploy its evil on the ‘work’ side. Man-in-the-Browser malware is short-circuited at the barrier and your company data is kept safe.