Malware integrating itself into a victim’s Web browser is nothing new. Increasingly however, these man-in-the-browser attacks are being used to successfully bypass authentication mechanisms used by online banking sites, according to a security researcher.
Jason Milletary, technical director for malware analysis at SecureWorks, explained banking Trojans like ZeuS, Gozi and SpyEye utilize man-in-the-browser (MITB) techniques to provide cyber-criminals with additional information needed to conduct financial fraud, such as the victim’s Web browsing activity and data.
“Some malware takes advantage of mechanisms to extend Web browser functionality and are implemented using these mechanisms, such as Browser Helper Objects (BHO) for Internet Explorer or Firefox Extensions,” said Milletary, who gave a presentation on the subject June 16 at the Forum of Incident Response Security Team Conference in Miami. “Other malware will insert code into the running process of a Web browser and divert some of the Web browser’s normal functionality to the malware.”
Sometimes the attacks modify the content in the victim’s browser when they visit an online bank’s log-in page, he said, by adding additional form fields to the legitimate Web page. The idea is to phish for information that may be used as a secondary authentication mechanism.
“Most Trojans analyzed by CTU [SecureWorks’ Counter Threat Unit] that are used to perform financial sector fraud include some level of MITB capability that allow it to perform attacks more sophisticated than simple theft of a user’s online banking credentials,” he said.
Similar techniques are also used by search engine hijackers like Opachki to divert
search engine results through third-party affiliate sites, Milletary added.
To fight these attacks, online banks need to analyze browser behavior from the back end and identify anomalies that may be introduced by these attacks, he said. In addition, they should educate customers and employees about the issue, he added.
“These types of threats have been technically established for several years,” he said. “The concern is how these types of attacks are potentially being used to attempt to bypass more advanced authentication mechanisms being implemented by online banking sites.”