Man in the Browser Attacks

Man-in-the-Browser attacks are a sophisticated new hacking technique associated with Internet crime, especially that which targets customers of Internet banking. The security community has been aware of them as such for time but they have grown in ability and success during that time. These attacks are a specialised version of Man-in-the-Middle attack, and operate by stealing authentication data and altering legitimate user transactions to benefit the attackers. This paper examines what Man-in-the-Browser attacks are capable of and how specific versions of the attack are executed, with reference to their control structure, data interaction techniques, and methods for circumventing security. Finally the authors discuss the effectiveness of counterMan-in-the-Middle strategies, and speculate upon what these attacks tell us about the Internet environment. DOI: 10.4018/jaci.2012010103 30 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. destination. However, the Man could also breach the integrity of the signal before it even leaves the user’s PC, if he subjects the user to a Man in the Browser (MitB) attack. This is a more recent form of attack in which the user’s browser is corrupted in order to act as the tap in the information stream, an attack which “occurs at the system level, between the user and the browser, [rather than via] the protocol layer” (Litan & Allan, 2006). This, structurally speaking, is “a man-in-the-middle attack between the user and the security mechanisms of the browser” (Gühring, 2006). Therefore, in network security terms, “the Middle” is every point along the course an information transaction between the initial input and final output device (i.e., anything that is not a keyboard or a monitor etc). In this sense, the MitB attack is a special case of the MitM attack in which the intrusion occurs at the very nearest end of the middle to the user. 2. MitB IN TERMS OF MitM Let us begin by exploring the places in which MitB differs from MitM. Firstly, MitM intercepts data using an inserted or compromised piece of hardware that is external to the targeted system. MitB on the other hand gains access through the software configuration on that system, generally by way of a Trojan that targets the web browsers on that computer. Secondly, MitM either has to deal with messages that have already been protected by whatever security is associated with the connection (and read/alter them mid-flight in both directions of communication), or has to present a plausible reason for the user to create their connection with the attacker’s own server. MitB does not need to bother with the extra work this entails. In the outward-bound direction, it is the author of all compromised messages sent. In the inward-bound direction, it does still have to deal with a fully formed message, but it does not need to be concerned with modifying the message itself so as to conceal its actions. This is because MitB directly controls the browser, and therefore needs only to modify the browser display to be as the user expects. Together this means that it works outside of any client-side and server-side encryption and validation, and therefore does not have to be concerned with increased latency arising from hashing overheads or to provide dummy keys for public key encryption. This implies another advantage of MitB over MitM, in that MitM is only guaranteed to be able to handle public key encryption (and this only up to a point as discussed in the section “Trust”), whereas MitB is “immune” to all forms of encryption, including symmetric key, by being external to it. Finally, MitM is only truly effective a directed or location-based attack, whereas MitB can be spammed to as many computers as its Trojan is able to infect. If the access point of MitM were somewhere at random in the Internet, it is unlikely for it to be able to extract valuable data or make modifications undetectably. This is because packets can be routed independently, so any data gleaned will probably be fragmentary, and replies to any fraudulent modified messages would not be guaranteed to pass through the same compromised point as the outgoing message, making concealment of modifications almost impossible. To maintain constant contact, the MitM attacker must either be physically close enough to the victim to capture their outgoing data before it has the opportunity to bifurcate, or trick the victim into navigating to the attacker’s own server that will act as a stable mid-point. This compels the attacker to either directly target or in some other way reach out to individuals or groups, and means that this attack does not scale very well. On the other hand, the only such limitations on MitB are around the level of security that is installed on the systems it attacks or is practiced by the people who use them, and it scales very well. Where MitM is limited to a chosen few targets at a time (most effectively spread by mass spam emails with links to compromised sites), individual MitB Trojans are known to have compromised between hundreds and hundreds of thousands of users’ security concurrently (Finjan, 2009; 9 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/man-browserattacks/64189?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Computer Science, Security, and Information Technology. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2