Problem solve Get help with specific problems with your technologies, process and projects.

Analyzing updated man-in-the-browser attack techniques

Do man-in-the-browser attack prevention tactics need to be updated as the attacks themselves take on new characteristics? Expert Nick Lewis discusses.

I've read that attackers have updated man-in-the-browser (MitB) attacks so that they can parse logs for information...

as opposed to receiving unparsed logs at a command & control server. What does this development mean in practical terms? Does it make the attacks more difficult to detect? How should organizations update man-in-the-browser attack prevention strategies to defend against this new style of attack?

Ask the Expert

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

The updated man-in-the-browser (MitB) attacks, referred to as universal man in the browser (uMitB) by Trusteer, allow an attacker to capture any data entered into a Web browser. The new functionality operates much like a general keystroke logger and provides similar data for keystrokes entered into a Web browser.

Once all the keystrokes are captured and processed, the useful data is identified to send back to the attacker, including Social Security numbers, credit card numbers and other identification numbers. Any information about the websites where the data was entered could also be collected, allowing an attacker to gather more data that could be analyzed to identify additional websites that could be targeted with the captured credentials or access.

If an attacker is able to compromise the security of a Web browser to install MitB malware, the attacker will most likely be able to completely compromise the security of the endpoint and install a keylogger. Web browsers with sandboxing capabilities or other protections might prevent a complete compromise, which would make the new MitB attack functionality necessary to capture data on the local system. The MitB attack might be more difficult to detect, but they still most likely need to write to the local file system before injecting the malware into a running process or Web browser. Anti-malware software can look for executables injecting code into unexpected binaries.

As Trusteer states, the best way to protect an enterprise from these new attacks is to protect the endpoint from malware. That's obviously an increasingly difficult task these days, but the best general approach is to implement a defense-in-depth strategy for malware defense.

This was last published in April 2013

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.