I've read that attackers have updated man-in-the-browser (MitB) attacks so that they can parse logs for information as opposed to receiving unparsed logs at a command & control server. What does this development mean in practical terms? Does it make the attacks more difficult to detect? How should organizations update man-in-the-browser attack prevention strategies to defend against this new style of attack?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The updated man-in-the-browser (MitB) attacks, referred to as universal man in the browser (uMitB) by Trusteer, allow an attacker to capture any data entered into a Web browser. The new functionality operates much like a general keystroke logger and provides similar data for keystrokes entered into a Web browser.
Once all the keystrokes are captured and processed, the useful data is identified to send back to the attacker, including Social Security numbers, credit card numbers and other identification numbers. Any information about the websites where the data was entered could also be collected, allowing an attacker to gather more data that could be analyzed to identify additional websites that could be targeted with the captured credentials or access.
If an attacker is able to compromise the security of a Web browser to install MitB malware, the attacker will most likely be able to completely compromise the security of the endpoint and install a keylogger. Web browsers with sandboxing capabilities or other protections might prevent a complete compromise, which would make the new MitB attack functionality necessary to capture data on the local system. The MitB attack might be more difficult to detect, but they still most likely need to write to the local file system before injecting the malware into a running process or Web browser. Anti-malware software can look for executables injecting code into unexpected binaries.
As Trusteer states, the best way to protect an enterprise from these new attacks is to protect the endpoint from malware. That's obviously an increasingly difficult task these days, but the best general approach is to implement a defense-in-depth strategy for malware defense.
This was first published in April 2013