Trusteer Identifies Universal Man-in-the-Browser Attack Technique

A new tactic builds off traditional man-in-the-browser attacks to make it easier for attackers to steal credit card and other information from Web surfers. So far, the tactic is not widespread, security researchers say.

Researchers at security firm Trusteer have observed a new form of man-in-the-browser attack that makes stealing credit cards and other information easier for cyber-criminals.

The firm has dubbed the attack "universal man-in-the-browser" (uMitB). Its draw is that it enables hackers to collect data submitted to all Websites without the need for post-processing.

"Traditional MitB attacks typically collect data (log-in credentials, credit card numbers, etc.) entered by the victim in a specific Website," Amit Klein, CTO of Trusteer, explained in a blog post. "Additionally, MitB malware may collect all data entered by the victim into Websites, but it requires post-processing by the fraudster to parse the logs and extract the valuable data."

In contrast, uMitB does not target a specific, predefined Website. Instead, Klein continued, it collects data entered into the browser at all Websites and uses generic real-time logic on the form submissions to perform the equivalent of post-processing. The data stolen by the uMitB malware is then stored in a portal where it is organized and sold in the cyber-underground.

The ability to cut down on data parsing by attackers is significant for them, according to the company. George Tubin, senior security strategist for Trusteer, noted that MitB attacks often collect all log information from a user's browser session.

"The log files have a massive amount of information, including account credentials, credit card information and other payments data," he told eWEEK. "Criminals have to parse through all the logs to cull out what might be useful for selling on the underground market. This is painstaking, which is why some criminals just sell the raw logs."

uMitB attacks, however, recognize form fields on any site visited by an infected user, such as those for names, addresses or credit card information, he said. This eliminates post-processing and collects the data in real time, he explained.

"As a result, uMitB makes stolen credit card numbers much more valuable on the underground market because they go stale quickly," Tubin noted. Stolen credit card numbers sell for 40 to 80 cents U.S. each on the black market, according to Symantec researchers.

The technique could be used to swipe other credentials too. In August, Trusteer uncovered a man-in-the-browser attack targeting the VPN credentials of employees at an airport in order to gain access to internal airport applications.

Trusteer first spotted the technique in late August, and has been keeping an eye on it since. So far, the attack is in the early stages of propagation, Tubin said. The malware being used in the attacks is being delivered the same way as Zeus and SpyEye configurations are normally delivered--through phishing emails and drive-by download attacks that exploit unpatched browser vulnerabilities, he said.

"As always," Klein blogged, "the best protection against financial fraud attacks that use uMitB, MitB, man-in-the-middle, etc., is to secure the endpoint against the root cause of these problems--malware."