Trusteer Identifies Universal Man-in-the-Browser Attack Technique
A new tactic builds off traditional man-in-the-browser attacks to make it easier for attackers to steal credit card and other information from Web surfers. So far, the tactic is not widespread, security researchers say.Researchers at security firm Trusteer have observed a new form of man-in-the-browser attack that makes stealing credit cards and other information easier for cyber-criminals. The firm has dubbed the attack "universal man-in-the-browser" (uMitB). Its draw is that it enables hackers to collect data submitted to all Websites without the need for post-processing. "Traditional MitB attacks typically collect data (log-in credentials, credit card numbers, etc.) entered by the victim in a specific Website," Amit Klein, CTO of Trusteer, explained in a blog post. "Additionally, MitB malware may collect all data entered by the victim into Websites, but it requires post-processing by the fraudster to parse the logs and extract the valuable data." In contrast, uMitB does not target a specific, predefined Website. Instead, Klein continued, it collects data entered into the browser at all Websites and uses generic real-time logic on the form submissions to perform the equivalent of post-processing. The data stolen by the uMitB malware is then stored in a portal where it is organized and sold in the cyber-underground.
The ability to cut down on data parsing by attackers is significant for them, according to the company. George Tubin, senior security strategist for Trusteer, noted that MitB attacks often collect all log information from a user's browser session.