-
Man-in-the-browser attacks
Christofilos Konstantinos (MM4140023) Gerardos Pavlos
(MM4140001)
Pantazaras Sokratis (MM4140013)
March 13th, 2015
Mar
MSc in Information Systems Part Time, 2014-2016
Course: Critical Information and Communication Infrastructure
Protection
-
1 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
Contents 1.
Introduction..........................................................................................................................................
2
2. From M to B
..........................................................................................................................................
3
3. Malware distribution overview
........................................................................................................
4
4. The Man-in-the-browser (MITB) attack
..........................................................................................
6
4.1 Points of attack
................................................................................................................................
6
4.2 MITB attack step-by-step
...............................................................................................................
9
4.3 Famous MITB malware
................................................................................................................
10
4.4 What makes MITB attack difficult to defend from
................................................................
10
4.5 Defending against MITB attacks
...............................................................................................
11
5. Variants of MITB
................................................................................................................................
14
5.1 Clickjacking
.....................................................................................................................................
14
5.2 Boy-in-the-browser (BITB)
...........................................................................................................
16
5.3 Man-in-the-Mobile (MITMO)
.......................................................................................................
16
6 Conclusions
........................................................................................................................................
18
7 References
..........................................................................................................................................
19
-
2 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
1. Introduction Internet has transformed the global economy and
revolutionized the way that people interact, communicate and
exchange information and goods.
Users are able to easily and quickly use any kind of personal
device (smartphones, tablets, laptops) in order to access online
services, which also provide two-way communication; not only do
they update their users but they also get updated from them (Web
2.0).
One of the most commonly used services globally is Internet
banking (e-banking).
As of April 2012, around 423 million people worldwide accessed
online banking sites, reaching 28.7 percent of total Internet
users1. Only for North America and Europe, this percentage was 45%
and 37.8% respectively.
Graph source: statista.com
The statistics presented above allow us to understand the
importance and usability of e-banking to Internet users.
They also allow us to understand why cybercriminals are
interested in exploiting these services. As more and more people
are accessing online banking services, they become potential
targets to those who have the technical expertise and audacity to
swindle them and gain personal financial benefit.
1
http://www.statista.com/statistics/233284/development-of-global-online-banking-penetration/
-
3 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
2. From M to B One of the most well-known types of attack
against financial institutions is the Man-in-the-Middle (MITM)
attack.
This method is based on the attackers ability to intercept a
legitimate users session with a bank's web server and use their
machine (i.e. the attackers) as a proxy. All data would then pass
through their computer, giving them complete control over it and
allowing tampering without either ends knowledge.
This method has been used for quite some time from
cybercriminals. However, I.T. security engineers have managed to
increase their defensive measures by the use of device
identification and Risk Engines (REs).
Risk engines analyse information related to every user session,
like unique device IDs (UDIDs), login times and session duration.
All data are then combined and analysed in order to evaluate
whether such activity is reasonable/typical for that specific user
(behavioural profile). If the analysis produces an alert, then the
issue is escalated for further inspection.
The above factors - technology (risk engines), experience
(previous incidents) and maturity of Internet users (it is easier
for todays average user to identify a fraudulent website than it
was some years ago), have contributed in making MITM attacks very
difficult to execute successfully.
For this reason, cybercriminals started to move towards a more
advanced and promising method.
Instead of hijacking user sessions at the network layer (during
transmission of data), attackers have begun to target directly the
users application layer, their web browser.
-
4 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
Trojan horses which are distributed through various well-known
methods (email attachments, hyperlinks on social networks or
hijacked websites) install extensions on web browsers. These
extensions are able to:
- Modify what the user sees on their computer (DOM
manipulation), - Modify and/or redirect original user data before
encryption and transmission takes place.
This ensures the data sent to the web banking server seems
legitimate and therefore fraud cannot be detected.
- Modify the returning transaction data upon server response, so
as to present information to the user exactly as it expected to
look.
3. Malware distribution overview Internet provides a wealth of
information and services to every user around the world. Of course,
some of the available services relate to non-legitimate purposes.
Underground communities have created well-organized, online markets
where users can obtain malicious software for their needs
(malware-as-a-Service - MaaS).
Before proceeding with the details of how a MITB attack takes
place, we will describe how malware in general is distributed to
computers of unsuspected users all around the world.
Malware distribution involves three parts:
Malware distribution - parties involved
a) Infection Point The infection point is the method by which
the malware is distributed to the target machines. There are
several distribution methods like:
-
5 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
A hijacked website which automatically downloads and installs a
trojan on the users computer (drive-by download).
An email attachment which contains executable code and runs when
the user opens it. A USB key which contains the malware and runs
when the users connects it to their
computer (autorun.inf). A PDF document or a PowerPoint
presentation with embedded script code.
b) Command and Control (C&C) Server
Once the malware has been installed on the computer,
instructions must be provided from the attacker about the exact
actions that will be performed. These instructions are provided
through configuration file and are distributed on the target
machines from a Command & Control (C&C) server. they
contain information such as:
Website URLs that need to be monitored and intercepted, Custom
form fields that need to be added/changed per URL, Drop server
locations, where all the intercepted data will be sent.
The configuration files are usually encrypted/obfuscated, so as
to be difficult to examine their content, and can be easily updated
from the C&C server with new information, e.g. new e-banking
URLs, updated form fields and drop servers.
c) Drop Server The drop server is the location where all
collected data from the target computers are sent. This could be a
hijacked machine whose administrator/owner has no knowledge that is
being used by cybercriminals, or the same C&C server that is
used by the attackers.
-
6 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
4. The Man-in-the-browser (MITB) attack A web browser is the
client-side application which communicates with remote web servers,
downloads content and renders it on the users screen.
The main concept behind the MITB attack is that the rendering of
information received from the web server (i.e. how the webpage will
be displayed DOM tree) can be edited/manipulated on-the-fly, in
order to customize/improve the users experience, e.g. remove
ads/banners or change colours (augmented browsing).
Although there is nothing wrong with this concept, the exact
same method can be used for malicious purposes; the mechanisms that
can change the layout or the colors of a web page can also change
the values of submitted forms in the background, while displaying
whatever information their creator wants to in the users
screen.
4.1 Points of attack Extra functionality can be inserted into
web browsers in a variety of ways, depending on the browser type.
Extra functionality usually aims at enhancing user experience, but
fraudsters can use this capability to take control of the browser.
Ways to incorporate new functions into the browser include:
Browser Helper Objects (BHOs) Browser helper objects are
dynamically-loaded libraries (DLLs), specifically designed for
Microsofts Internet Explorer with access to the Document Object
Model (DOM). They are activated on browser start-up and provide
additional functionality, e.g. the Adobe Acrobat plugin is a BHO
which allows opening PDF files directly from the web browser.
-
7 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
List of Add-ons (BHOs) in Internet Explorer
BHOs have been extensively used by cybercriminals due to the
fact that they are easily developed and run with high privileges
(System account). Extensions Similar functionality to BHOs for
other browsers like Chrome, Firefox or Opera is carried out from
extensions. Some of them, like Greasemonkey for Firefox
(www.greasespot.net) act as a placeholder for custom-made user
scripts. That means that Greasemonkey does not perform a specific
action - like Adobe Acrobat plugin for PDF files - but instead
allows any user script to run with its custom functionality like a
dynamic/reprogrammable extension.
List of extensions in Google Chrome
-
8 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
API hooking API hooking is a complex technique which allows
modification of API calls between an application (.exe) and the
DLLs it dynamically loads - whether application or system. For
example, on Windows machines, the Windows Internet API
(wininet.dll) enables applications to interact and access Internet
resources through HTTP and FTP protocols. Malware installed on a
browser can - once activated - hook to various functions of
wininet.dll, e.g. InternetConnect(), HttpSendRequest(),
HttpOpenRequest(), InternetReadFile() and modify the original
calls.
API hooking on wininet.dll
AJAX sniffing Another technique used for MITB attacks is AJAX
sniffing. The approach this time is to hit the web server in order
to collect or alter data on the client side. Web technologies have
evolved rapidly in the last years, and are now able to provide high
quality services with very smooth and fast functionality. In order
for users to enjoy the Web 2.0 services, a hack was invented in
order to bypass the HTTP drawbacks, like the synchronous way of
requests. A technology called Asynchronous JavaScript and XML
(AJAX) is commonly used which makes the navigation and use of a web
application look and feel more like a desktop application. AJAX is
based on a JavaScript object called XMLHttpRequest, which is
responsible for calling URLs asynchronously in the backstage of a
web site visit and is able to update specific parts or the complete
page, when a response is returned. AJAX sniffing is based on that
implementation and injects JavaScript code snippets in web pages
that are vulnerable to XSS attacks. XSS (Cross Site Scripting)
attacks exploit web server vulnerabilities and allow the attacker
to inject code to a webpage via HTTP payload (POST, GET
parameters). When the malicious Javascript code is injected into
the web server, it overrides the XMLHttpRequest object and starts
sniffing all the requests the client makes to the server. That way,
it can intercept all the information that is exchanged between the
client and the
-
9 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
server and forward the data to a remote server (drop server)
where they can be used for whatever purpose the cybercriminals may
want. Just imagine, modern sites logs users via AJAX calls, which
means that usernames and passwords from all users can be collected,
without having to install any malware on the clients. That is the
worst thing about AJAX sniffing. Fortunately, this kind of attack
is based on server-side exploits; therefore the main responsibility
shifts to the web servers administrator(s), who are theoretically
more technically aware of the field of information system security
than a normal user.
4.2 MITB attack step-by-step A detailed, step-by-step
description of the MITB attack can be seen below:
1. The Trojan infects the computer's software, either at the
operating system or application level (infection point).
2. The Trojan installs an extension into the browser
configuration, so that it will be loaded next time the browser
starts.
3. At some later time, the user restarts the browser. 4. The
browser loads the extension. 5. The extension registers a handler
for every page-load. 6. Whenever a page is loaded, the URL of the
page is searched by the extension against a list
of known sites targeted for attack. 7. The user logs in securely
on to for example https://secure.ebanking.site/. 8. When the
handler detects a page-load for a specific pattern in its target
list (for example
https://secure.original.site/account/do_transaction), it
registers a button event handler. 9. When the submit button is
pressed, the extension extracts all data from all form fields
through the DOM interface in the browser, and remembers the
values. 10. The extension modifies the values through the DOM
interface. 11. The extension tells the browser to continue to
submit the form to the server. 12. The browser sends the form,
including the modified values, to the server. 13. The server
receives the modified values in the form as a normal request. The
server cannot
differentiate between the original values and the modified
values, or detect the changes. 14. The server performs the
transaction and generates a receipt. 15. The browser receives the
receipt for the modified transaction. 16. The extension detects the
https://secure.ebanking.site/account/receipt URL, scans the
HTML for the receipt fields, and replaces the modified data in
the receipt with the original data that it remembered in the
HTML.
17. The browser displays the modified receipt with the original
details. 18. The user thinks that the original transaction was
received by the server intact and
authorized correctly.
-
10 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
4.3 Famous MITB malware A few of the most well-known malware
which use the MITB attack method can be found below:
- Zeus/Zbot Zeus/Zbot and its variants (Zeus Gameover P2P) is
probably the most well-known financial malware. It infects Windows
machines and is based on the client/server model (requires a
C&C server in order to organize the attack). It is able to
steal private data from the infected computers such as
usernames/passwords, banking credentials by injecting malicious
information in the users web browser.
- Carberp In 2012, the Carberp malware was reported replacing
Facebook pages with fake ones which stated that the users account
was temporarily locked. In order to unlock the account, the user
had to complete a web form which included personal information like
name, email, password and also pay a 20 uKash e-voucher to confirm
verification. The cash voucher would supposedly be added to the
users Facebook main account balance but in reality, the 19-digit
uKash code was transferred to the Carberp botmaster who could use
it as normal cash equivalent.
Carberps Facebook attack
4.4 What makes MITB attack difficult to defend from
Man-in-the-Browser attacks pose high risk due to the following
factors:
Infection is easy Users are accustomed to downloading several
files from the Internet, as well as regularly updating their
installed applications, including their web browser and its various
extensions. Software updates are usually either automatically
approved without any user intervention, or are not given enough
attention (users tend to just click Accept on installation prompts
without noticing what the dialogs/prompts state).
-
11 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
Detection is hard All technical vectors involved in the MITB
attack (extensions, scripts) are carefully crafted, involve
advanced technical knowledge and most importantly, are installed
and run only on the client-side, where normal users usually have
neither the expertise nor the technical knowledge and/or mechanisms
to defend themselves. Additionally, such malware is usually
distributed with variations of the malicious code in order to
circumvent antivirus/antispyware software installed on the client
machines. Authentication and server-side fraud detection mechanisms
are inadequate MITB is not a phishing attack; it does not use fake
data, e.g. malicious websites that resemble the real ones, in order
to steal users information. All data that the e-banking servers
receive are indeed sent from legitimate users and their machines.
This means that traditional security measures like authentication
(username/password) or transaction verification (by use of
one-time-passwords - OTP) are rendered useless since all of this
data is sent through the browser and is therefore available to
tamper with by the installed malware.
4.5 Defending against MITB attacks As already stated, MITB
attacks are quite advanced both in concept and technology, which
means that there is no easy way to defend against them. However,
there are some techniques and/or proposals which can be used
against them and are presented below:
Hardened browser The concept of a hardened browser is based on
the creation of a browser that will be able to access e-banking
services without allowing any kind of external/custom-made code
which by default might be malicious (extensions/BHOs) - to load.
Additionally, the application should be available for distribution
as a single, static binary so as to also avoid API hooking through
dynamically-called external libraries. In more detail, a hardened
browser should fulfil the following requirements:
O Statically compiled prohibit loading of dynamic libraries O
Stripped no compiler symbols should be available to guide the
attack O Have additional binary-protection methods - executable
should be encrypted or
packed. O Allow only HTTPS connections prohibit plain HTTP o
Process monitoring for launching of executables from browser o
Memory-space protection (against key loggers and/or screen
capturing
applications) o White-list of valid e-banking websites o Browser
can only connect to a predefined list of e-banking servers. o
White-list of SSL certificates
-
12 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
o No addition of SSL certificates is allowed
Pros
+ No extensive work required in order to customize and
strip-down industry standard browsers (Firefox, Chrome, IE). + Can
be easily distributed as an alternative/parallel installation for
use only on secure e-banking sites. + Better usability than a live
distribution if an update is published, users just download the new
version without need to burn new CD or re-format USB stick.
Cons
- Allowing only valid websites or SSL certificates based on
white-lists might lead to having to continuously update the
executable with new/updated information. This is obviously a not
very practical and certainly quite tiring process for the end user,
who would certainly prefer not to be involved. - Downloading the
hardened browser is always susceptible to phishing the user may be
deceived and redirected to a website where a malicious/vulnerable
version of the supposedly hardened browser is distributed.
Bootable, write-protected live distributions (live-CD/DVD)
Free/Open source software distributions of client operating systems
like Knoppix are distributed freely and can be burned to a
bootable, read-only media (CD/DVD). As the media is
write-protected, no installation can take place permanently, which
means that if the user wishes to perform an online bank
transaction, a reboot will securely reset all browser settings to
the defaults and will allow the user to connect to the e-banking
server securely.
Pros
+ Upon reboot, a live-CD is considered highly secured.
Cons
- Browsers on live-CDs also need to be updated and patched every
time the user restarts the live-CD distribution, otherwise they run
the risk of connecting to the web banking server insecurely. -
Users dont like to reboot their computers very often. Especially as
they will have to lose all the customizations that they have made
during their current session, it is quite probable that they will
eventually either not reboot which poses a security issue - or not
use the live-CD distribution at all.
-
13 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
Out-of-band transaction verification A popular method to
counteract a MITB attack is the so called Out of Band (OOB)
transaction verification. This method is based on the usage of a
communication channel other than the web browser (telephone call,
SMS) in which the transaction details will be verified.
Pros
+ Works with standard devices (mobile phones) does not need
additional hardware
Cons
- Can be easily subverted as well if the verification
information (phone number) is stored in the users account online. -
OOB SMS can also be broken by Man-in-the-mobile (MITMo) attacks
like ZitMo (Zeus-in-the-Mobile) and SpitMo
(SpyEye-in-the-Mobile).
Campaigning Training for raising awareness Apart from the
technical vectors, campaigns and training sessions from financial
institutions and government agencies help in raising user awareness
about how these attacks take place and how they could be
identified. One of the more effective methods for stopping MITB is
by educating Internet users on the extent of the threat. Malware
has to enter the users computer somehow, so if users are made aware
of how this can happen, it is less likely MITB will be effective.
Properly maintained firewalls and scanning of all downloads will
significantly reduce a users risk of being a victim.
-
14 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
5. Variants of MITB The MITB attack method is actually a family
of malware components designed to exploit vulnerabilities in user
browsers. Some members of the family can be classified as
sub-categories in their own right. The most important of these are
presented briefly below.
5.1 Clickjacking Clickjacking was originally described by
Jeremiah Grossman of WhiteHat Security fame back in 2008. The idea
here is to create a layer of authenticity, under which lies a
different purpose. An easy-to-understand example is given in
http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html.
The gist of that example is described below.
Assume that a user is engaged in online banking activity. They
are already logged into the bank service and most probably assume
that they are perfectly safe as long as this is the case. Moreover,
they expect that any content displayed while they are browsing
through their account and transaction information is originating
from the bank service.
At some point the user comes across a page which includes some
sort of offering, the chance for example to win a free iPad. The
user may then be tempted to give this a shot: if it comes from the
bank, it must be safe. They proceed in clicking on some link, which
then results in something quite different happening: perhaps an
amount of money from one of their accounts is transferred to
another account, which the user knows nothing about. It will
probably be sometime before the user realises that somethings gone
wrong.
How did this happen? The usual mechanism is quite simple.
Assuming the existence of a website that an attacker is interested
in (well refer to that as website A the banks website in the
previous example), and a user that has access to that website (the
user engaged in web-banking), the success of this method depends on
whether the attacker can trick the user into visiting a different
website (website B), which is under the formers control. If the
users browser is running malicious BHOs or plug-ins as a result of
it having been hijacked, this is quite easy.
The user is directed to website B, after pointing their browser
at a location of interest (as is described in the MITB section).
Website B is under control of the attacker, and so the latter can
render, for instance, JavaScript and multiple pages. Website A is
loaded inside a separate iframe, and is initially displayed as-is
to the user. The user starts their interaction with website A as
normal. They log in and take care of their business as usual. They
are never aware that something is wrong. At any time, the attacker
can place content of their choosing on website B and overlay that
content over the content of A by using a variety of ways (such as
rendering the content of website A invisible). The attacker can
then take advantage of the fact that the user is still actually
interacting with A, but seeing something completely different on
screen. In other words, the attacker is tricking the user into
performing legitimate bank transactions, while the user is under
the impression they are doing something completely different (such
as opting for a free iPad).
L. Huang et al. in their paper Clickjacking: Attacks and
Defences classify current clickjacking attacks into 3 categories,
which correspond to the ways that users are forced to issue
input
-
15 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
commands (i.e. clicking on a link) which result in actions
different than what they believe when they issue them (the phrase
out of context is used throughout the paper to describe this
situation). These categories are:
Attacks that compromise target display integrity, meaning that
the user views something different than the legitimate website is
actually showing, at the time when considering about clicking on a
link.
Attacks that compromise pointer integrity, meaning that the
feedback given from the cursor or other input device is reliable
and has not been tampered with, so that the user may click on
something different than they intended.
Attacks that compromise temporal integrity, meaning that the
users are not given a sufficient amount of time to understand what
they are clicking on and whether theyd really like to proceed.
An interesting distinction is made between clickjacking attacks,
and social engineering attacks, which do not attempt to manipulate
security mechanisms to breach a websites security, but rather to
manipulate people to attempt something that they normally wouldnt
do. A social engineering attack is more or less the psychological
bullying of the user into giving out information that is of value
to attackers (i.e. account numbers, e-mails, passwords), because
the user is manipulated to doing so by social conventions. A simple
example is a social network post which prompts the user to like it
or interact with it by posing as an organisation for the aid of
blind children. The user may just go ahead and do this to appear
concerned and socially responsible to others. The problem here
arises from people being naive enough to follow a social convention
without verifying that the information they are dealing out is
actually going to where they are expecting it to this has nothing
to do with clickjacking.
The most widely used clickjacking defences today use
frame-bursting. Frame-bursting refers to code provided by a webpage
which prevents the page from being loaded in an iframe, as
described above. The basic principle of the code is simple:
if (top.location != this.location) {
top.location = self.location;
}
Unfortunately, frame-bursting has the major drawback of being
incompatible with third-party widgets, such as like and follow
buttons. Other approaches include:
User confirmation: The user is prompted to verify his initial
action. User interface randomisation: This approach dictates that
the positioning of sensitive
elements (such as buttons, links, etc.) should vary every time a
page is loaded. Opaque overlay: All cross-origin frames are
rendered opaquely (a technique employed by
the Gazelle browser).
-
16 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
Evidently, these approaches suffer from their own problems. User
confirmation is notorious for straining the patience of users, who
feel it is burdensome to have to make multiple clicks to complete
one action. Interface randomisation violates the basic principle of
keeping an interface consistent so that users can grow accustomed
and not get lost every time they try to interact with it. Finally,
opaque overlay removes all transparency from all cross-origin
elements, thus deforming many websites that are not being used for
malicious purposes.
5.2 Boy-in-the-browser (BITB) The Boy-in-the-Browser method of
attack is generally considered a less-mature, dubbed-down version
of the MITB attack. There are some differences between the two
approaches:
The BITB trojan redirects the traffic between the infected
browser and the website of interest to a third-party site (which
may even mimic the legitimate one), where most of the unauthorised
processing takes place, either it consist of simply copying down
the information passed or altering the ongoing transactions in some
form.
BITB scripts are much simpler than MITB scripts, and therefore
require fewer resources. Evolving a new BITB trojan can be a
process that takes a few hours, while useful MITB trojans usually
need months to mature.
BITB trojans evolve much more frequently, and therefore
anti-virus programs have more difficulty catching up with the
latest threats.
It is easier to locate the culprit once the attack has been
recognised as a BITB attack, and shut down the third-party server
collecting and processing the information.
Because of their nature, BITB trojans tend to be used for
one-time hit-and-run operations. They are also used to target a
greater variety of websites and are not primarily focused on
financial institutions.
The basic outline of the method of operation is this: once the
BITB trojan is downloaded, it starts tampering with the user
systems host file, mainly by adding new entries to it. This results
in a re-mapping of specific addresses to others, which point to
websites controlled by the attacker (these websites may be phishing
sites or act as proxies to legitimate sites). As in the MITB
situation, the victim is completely unaware: the URLs displayed on
the browser address bar are the legitimate ones.
5.3 Man-in-the-Mobile (MITMO) With the growth of the smartphone
market, especially the Android platform, it was inevitable that
cyber-attackers would eventually target mobile phones, as they now
offer more opportunities than ever for information eavesdropping
and related malicious activities. Indeed, with so many apps hitting
the market at this pace, and which involve pretty much everything
from gaming to banking to social networking, the premise is very
promising for anyone who wants to gain access to sensitive data
fast and easy.
It is no surprise that the MITB malware family expanded to hit
the new market. Around the start of 2011, S21Security detected a
new, rather sophisticated, banking trojan, which they named
Tatanga, written in C++ and affecting banks in Spain, United
Kingdom, Germany and Portugal
-
17 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
using MITB functions. Almost a year later, ESET was following
the progress of the same virus family (which they in turn called
Gataka), commenting on their blog how surprising it was that it had
received so little attention at the time, taking into account that
the trojans stability and functionality was bound to make it
popular with fraudsters in the future. In due turn, Trusteer noted
soon after that a variant of the malware had finally migrated onto
the Android platform.
The attack is not launched at the users mobile at first, but
rather at the users web browser on their desktop computer. The bait
here is a new security feature that is supposed to have become
available for the Android platform, which a great number of users
already have installed. The user is prompted to download this app
on their mobile by entering their number and submitting an online
request, which will then result in a text message being sent to
their phone. The SMS contains a link to install the alleged app,
which is in fact the Tatanga virus.
Once installed, the virus can capture all SMS traffic, thus
gaining access to all sorts of sensitive information (including
bank authorisation codes), which it transmits to the attackers.
This method of attack is very useful in circumventing the
out-of-band security mechanisms that a lot of European banks use as
a verification method. The out-of-band security approach requires
the use of a separate medium to act as a verification agent for
online transactions launched from a personal computer. That medium
is usually the users mobile phone, where an SMS verification code
is sent, which the user can then enter at the appropriate time to
verify that they are actually the party that initiated the
transaction. By gaining access to the SMS communications the users
phone participates in, the virus renders out-of-bank authentication
ineffective.
-
18 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
6 Conclusions The MITB Trojan, along with all its variations, is
yet another example of the undeniable fact that cyber-criminals
have turned their attention to simple users, rather than companies
and other organisations, the majority of which are now well aware
of the risks of online transactions and tend to invest a lot in
security measures and procedures.
Individual users, on the other hand, remain at best moderately
informed about the risks of using online services of any kind. They
are not too familiar (or do not wish to become so) with the many
pitfalls of such endeavours as online banking. Nevertheless, they
make more and more use of available services, thus increasing the
chances for attackers to gain profit. As a result, more services
become available at a growing pace, especially in the mobile phone
market. End users favour mobile applications, as they offer instant
access to whatever they need, whenever they need it. The Android
app market especially is a goldmine for fraudsters who want to
target unsuspecting users: downloading and installing a mobile app
is as easy as can be, and it seems that the notion of risk in this
area has yet to become common knowledge.
Clearly, this is something that has to be taken into account,
and it is companies that have to take the first step: assuming that
users are well-protected behind their firewalls and anti-virus
platforms can bring down even the most sophisticated of security
systems. Even approaches that use multiple media for authorisation
(such as the out-of-band verification system) can be bypassed with
the advent of mobile-targeted trojans. Raising awareness is of
course imperative, but it is worrying that most users tend to
believe that it is rather the companies responsibility to ensure
secure exchange of information, and not their own.
-
19 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
7 References C. Cain, SANS Institute Analyzing
Man-in-the-Browser (MITB) Attacks
(https://www.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks-35687)
O. Eisen, 41st Parameter Catching the fraudulent
'Man-in-the-Middle' and 'Man-in-the-Browser'
(http://www.the41.com/sites/default/files/MITM%20and%20MITB%20Overview_41st%20Parameter.pdf)
J. Dossogne, O. Markowitch Online banking and man in the browser
attacks: Survey of the Belgian situation
(http://www.ulb.ac.be/di/scsi/markowitch/publications/wic2010b.pdf)
M. Stahlberg, F-Secure The Trojan money spinner
(https://www.f-secure.com/weblog/archives/VB2007_TheTrojanMoneySpinner.pdf)
OWASP Man in the browser attack
(https://www.owasp.org/index.php/Man-in-the-browser_attack)
Trusteer/IBM How Man-in-the-Browser (MitB) Malware Works video
(http://securityintelligence.com/media/malware-man-in-the-browser-mitb-how-works-video)
ISACA Man in the Browser - A Threat to Online Banking
(http://www.isacajournal-digital.org/isacajournal/2013vol4?folio=16#pg18)
Almeida, Buyuksahin, Dimogerontakis, Tarhan Man in the browser
attacks A. Nordbo Man-in-the-browser to retrieve content of SSL
connections
(https://andynor.net/static/fileupload/419/S2_SoftSecTrends_Man-in-the-browser.pdf)
Wells, Hutchinson, Pierce - Edith Cowan University Enhanced
Security for Preventing Man-in-the-Middle Attacks in
Authentication, Data Entry and Transaction Verification
(http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1057&context=ism)
Sood, Enbody, Michigan State University The Art of Cyber Bank
Robbery
(http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-Sood.pdf)
T. Siebert Advanced Techniques in Modern Banking Trojans
(https://www.botconf.eu/wp-content/uploads/2013/12/02-BankingTrojans-ThomasSiebert.pdf)
R. Hansen, SecTheory Clickjacking
(http://www.sectheory.com/clickjacking.htm)
T. Hunt Clickjack attack - the hidden threat right in front of
you
(http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html)
J. Grossman Clickjacking: Web pages can see and hear you
(http://jeremiahgrossman.blogspot.com.au/2008/10/clickjacking-web-pages-can-see-and-hear.html)
L. Huang, A. Moshchuk, H. J. Wang, S. Shechter, C. Jackson
Clickjacking: Attacks and Defences
(https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CCoQFjAB&url=https%3A
%2F%2Fwww.usenix.org%2Fsystem%2Ffiles%2Fconference%2Fusenixsecurity12%2Fsec12-
final39.pdf&ei=X58CVa3SHMavygOJ-YLYDg&usg=AFQjCNH5frH5dZ0y3LeilOA4dSLda5Y4eQ)
S. Johnson Social engineering attacks: Is security focused on the
wrong problem?
(http://searchsecurity.techtarget.com/feature/Social-engineering-attacks-Is-security-focused-on-the-wrong-problem)
G. Rydstedt, E. Bursztein, D. Boneh, C. Jackson Busting Frame
Busting: a Study of Clickjacking Vulnerabilities on Popular Sites
(https://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=http%3A%
2F%2Fcrypto.stanford.edu%2F~dabo%2Fpubs%2Fpapers%2Fframebust.pdf&ei=VqECVfjICofOyQOr6YL4DA&usg=AFQjCNGJ
N_rfw1OALYJFvaoKJ0ncxARpIw&bvm=bv.88198703,d.bGQ)
-
20 Man-in-the-browser attacks - Christofilos, Gerardos,
Pantazaras
PC Tools The Boy-in-the-Browser is more than Just Mischievous
(http://www.pctools.com/security-news/bitb-trojan/)
Imperva Boy in the Browser
http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
B. Prince Boy-in-the-Browser Attacks Come Out and Play
(http://www.eweek.com/security-watch/boy-in-the-browser-attacks-come-out-and-play.html)
InfoSecurity Magazine Man in the Browser (MITB) becomes Man in
the Mobile (MITMO)
(http://www.infosecurity-magazine.com/news/man-in-the-browser-mitb-becomes-man-in-the-mobile/)
A. Klein Tatanga Trojan Bypasses Mobile Security to Steal Money
from Online Banking Users in Germany
(http://securityintelligence.com/tatanga-trojan-bypasses-mobile-security-to-steal-money-from-online-banking-users-in-
germany/#.VQKojY6Ud8F) A. Klein Man-in-the-Mobile Attacks Single
Out Android
(http://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/#.VQKpJY6Ud8G)
J. Boutin Win32/Gataka: a banking Trojan ready to take off?
(http://www.eset.com/int/about/blog/blog/article/win32gataka-a-banking-trojan-ready-to-take-off/)