What is it?

A man-in-the-browser attack occurs when a user’s web browser is infected with malware, usually by a Trojan which will install an extension or Browser Helper Object (BHO). It can happen when a user goes to a developer’s website in order to download extensions, instead of using the official repository (where the extensions are supposed to be malware-free). It’s a very high-tech and high priced form of cyber-criminality, making it quite hard to prevent and to protect against. BHO’s are only applicable to the popular default Microsoft browser, Internet Explorer. The main use of man-in-the-browser attacks for cyber-criminals is financial fraud.

Our experts explain

Similarly to a man-in-the-middle attack, the malware that enables man-in-the-browser attacks,  intercepts all communications between the user’s browser and the destination web server, and then changes the messages or the user’s web transactions as they occur, instantaneously. Here is a summary of how a man-in-the-browser attack works:

  • The user visits his/her banking website and navigates to the account transfer page
  • The fraudulent browser extension (or BHO) intercepts every request and response appearing on the website
  • When the fraudulent BHO sees the account page where the money is being transferred, it registers a button event handler
  • When the user finalises a money transfer, the extension extracts all the data (source account, destination account and amount) from the webpages fields and replaces them with different information and value
  • The fraudulent BHO sends the corrupted form to the server
  • When the user receives a confirmation form to approve, the fraudulent BHO analyses it and swaps the original data back into the form
  • The user approves the confirmation form, then the fraudulent BHO swaps back the fraudulent information and value
  • The server processes the money transfer with the corrupted data

This process results in the victim unknowingly authorising a money transfer to the hacker’s designated account!

Since all the data has been swapped by the fraudulent BHO, it will be very difficult for the victim to prove that it is not the transaction he approved. Another issue for the victim is that this transaction has been hacked before the SSL/TLS transmission encryption.

3 main methods to avoid man-in-the-browser attacks:

  • Providing a more secure client to consumers

A secure client could be a web browser that has been compiled into one binary which doesn’t allow extensions to be added as alternatives. For example, clients who only allow https connections for banking transactions. The downside of this method is that it may not be practical for those banks with a large user base, because users may also use other, more non-secure platforms, to access the banking website.

  • Two Factor Authentication (2FA)

When using 2FA, the user is sent a message on a separate channel when authorising any transfers. This message can be sent via SMS, Email and more recently via a dedicate banking mobile application. The user then has to enter the code received in that separate channel to authorise the transaction. Another benefit of this is that the messages contain all the details on the transaction, so the user will be able to spot any anomalies when authorising their transaction.

  • Consumer Education

Last, but not least, users must be educated on the cyber-threats that are out there, and they must learn how to recognise the symptoms of an infected computer. It is vital for users to recognise they have an important role in maintaining the highest level of security on their machine, and should not solely rely on other organisations (such as their bank) in that area: individuals must be part of the team in order to block man-in-the-browser attacks.