Boy-in-the-Browser Attacks Come Out and Play
The man-in-the-middle has a son, and he is here to bully your Web browser.
This is the message of Imperva, who is highlighting the presence of boy-in-the-browser attacks. The company has seen a resurgence in this type of attack, which works by redirecting traffic.
"It re-routes it in a very smart way, so that the victim cannot detect that [he] has a Trojan, because when he for example moves to access Bank of America, he'll see on his address bar bankofamerica.com when in fact it was going to, for example, attacker.com," Noa Bar-Yosef, senior security strategist at Imperva, told eWEEK.
The attacker does all this by modifying the way hostnames map to network addresses by tampering with the host file on the compromised machine. Sometimes there are visual clues a person has been redirected to an attacker's site; sometimes not.
One example Imperva found recently involved nine Latin American banks being targeted. A second example that Imperva found revealed attackers using boy-in-the-browser as part of a click fraud scheme to defraud Google. In that case, the victim redirected people using a regional domain of Google - such as www.google.co.uk - to an attacker-controlled server.
When the user performed a query, the attacker would fetch the results and ads from Google but serve them on the attacker's own page. The end result, Imperva explained, is that when a user clicks on a specific ad, the commission is attributed to the attacker instead of to Google.
"The boy-in-the-browser, man-in-the-browser are an evolution of what we call proxy Trojans," Bar-Yosef said. "The very rudimentary ones that we've all heard about were keyloggers ... then you had another evolvement, for example, which would be complete session recorders, where while you're transacting with the bank it would record the whole transaction and then it could replay that. The boy-in-the-browser now is one more [evolutionary] step--now it's rerouting the browser so you have no detection."
You can read Imperva's analysis here.