I've read that attackers have updated man-in-the-browser (MitB) attacks so that they can parse logs for information as opposed to receiving unparsed logs at a command & control server. What does this development mean in practical terms? Does it make the attacks more difficult to detect? How should organizations update man-in-the-browser attack prevention strategies to defend against this new style of attack?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The updated man-in-the-browser (MitB) attacks, referred to as universal man in the browser (uMitB) by Trusteer, allow an attacker to capture any data entered into a Web browser. The new functionality operates much like a general keystroke logger and provides similar data for keystrokes entered into a Web browser.
Once all the keystrokes are captured and processed, the useful data is identified to send back to the attacker, including Social Security numbers, credit card numbers and other identification numbers. Any information about the websites where the data was entered could also be collected, allowing an attacker to gather more data that could be analyzed to identify additional websites that could be targeted with the captured credentials or access.
If an attacker is able to compromise the security of a Web browser to install MitB malware, the attacker will most likely be able to completely compromise the security of the endpoint and install a keylogger. Web browsers with sandboxing capabilities or other protections might prevent a complete compromise, which would make the new MitB attack functionality necessary to capture data on the local system. The MitB attack might be more difficult to detect, but they still most likely need to write to the local file system before injecting the malware into a running process or Web browser. Anti-malware software can look for executables injecting code into unexpected binaries.
As Trusteer states, the best way to protect an enterprise from these new attacks is to protect the endpoint from malware. That's obviously an increasingly difficult task these days, but the best general approach is to implement a defense-in-depth strategy for malware defense.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve ... Continue Reading
After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick ... Continue Reading
The TrickBot banking Trojan joined forces with IcedID to form a dual threat that targets victims for money. Discover how this union occurred and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.