Request a Demo

What is Man in the Browser Attack (MITB)?

The man-in-the-browser (MITB) attack utilizes a Trojan Horse in a pre-infected device/system to infect the internet browser, and sniff, capture and modify information as it travels between the user interface of the infected browser and the internet.

MITB malware is a Trojan that infects endpoints through malicious email attachments, links, or even when a user visits an infected website. Cyber criminals target victims through social engineering - phishing and targeted spearphishing attacks to attempt infection. These attacks are constantly evolving and are becoming more sophisticated and difficult to detect even by experienced cyber security experts.

Many times these Trojans remain undetected by traditional antivirus programs. Whenever the user of the MITB malware infected system visits a banking website, the Trojan sniffs or modifies the transactions as they are typed in on the Internet browser. This malware can view everything that the end-user sees, and can also do everything that the end-user can do with a browser. Login credentials and other sensitive information are captured directly from the browser memory. However, the browser still displays back what the user actually wants to do. The original URL and SSL protections are retained.

MITB attacks are typically used to target financial (banking) transactions. The malware will be able to do fraudulent money transfers or payments, and the banking application will not be able to detect any fraudulent activity as the correct credentials have been entered.

Additionally, the MITB malware can also inject additional authentic looking fields in the login forms which would convince the targeted victim to share other sensitive information. As the “https://” of the website is retained the victim does not suspect the webpage. A valid HTTPS certificate, which the browser trusts, is hence presented to the victim and the typed in information in unencrypted form is captured.

Through SSL sniffing, cyber criminals sniff the SSL information of the website and use it to inject malicious code or recreate the website.

Man in the Browser Attack

Browser Helper Objects (BHOs)

A BHO or browser helper object is a component of the Internet Explorer Web browser that allows customization and additional functionalities such as adding toolbars to the browser windows.

A BHO is typically a dynamically-loaded library (DLL) module but it may also be dat or exe files.

BHOs have unrestricted access in the Document Object Model (DOM) of the Internet Explorer, and this has allowed cyber attackers to exploit this feature to inject malware.

What does MITB do?

Man-in-the-Browser (MITB) malware can view and steal information as a user types into the browser. It can also directly modify the elements in the user’s browser and also inject content such as new fields without the user knowing about it. This in effect changes the functionality of the webpage. As an example, the MITB malware can inject a field for entry of date of birth, social security number or passport number in the login form. As the original URL and SSL protections are retained, the victim will not suspect the webpage.

The MITB malware can also fool the webpage server by injecting its own JavaScript using the stolen credentials. If the webpage belongs to a banking institution then it could be fooled into allowing it to perform online financial transfers or payments. The bank would think that the legitimate user had initiated the transaction. Some MITB malware is so advanced that even when the user logs into the next time, the fund transfer or debit of money is not displayed.

Protection Against Man in the Browser Attack

MITB malware is quite advanced and hence organizations must implement comprehensive security measures. They must protect their corporate emails as well as all mails accessed on the endpoint with a strong Email security solution. They must get a Web security solution to prevent browser attacks. Further, they must also educate all employees to identify fraudulent mails and attachments.

Difference between MITB Attack and Other Phishing Attacks

Traditional phishing attacks use links or email attachments to get users to a fake website where they input their secure data. However, a MitB attack just catches the data as you input it, so you’re unaware that your data has been stolen. You are using a legitimate site, but your computer or device has been infected. At Comodo, we can help. Contact us today if you’d like to learn more.