Connect with us

Hi, what are you looking for?



The Evolution of Proxy Trojans

Proxy Trojans and Man-in-the-Browser Attacks Remain a Major Threat to Financial Institutions

Proxy Trojans and Man-in-the-Browser Attacks Remain a Major Threat to Financial Institutions

(Part VIII in a Series on Cybercrime. Read Part IPart IIPart IIIPart IVPart V)

According to comScore, holiday shoppers spent more than $28 billion online this year. And this is before the final Christmas statistics even rolled in. With this massive amount of money rolling around, it comes as no surprise that the online banking and online retailers are attractive targets to hackers. What are the latest threats?

Proxy Trojans

The evolution of Proxy Trojans

Proxy Trojans are nothing new. They’ve evolved into three categories:

Stage 1: Keyloggers. This is the most primitive form of Proxy Trojan where the Trojan records the victims’ credentials as they log into a certain online application. The Trojan then sends the obtained credentials to command and control (C&C) servers. In fact, last year we saw 10K hotmail accounts captured by such Trojans. This incident reveals some interesting patterns. At first glance, and according to initial reports, it seemed that the credentials were obtained as a result of a phishing campaign. However, the analysis indicated that some username and password combinations were very similar – differing only by a letter or two. These “typos” were letters with close proximity on the keyboard which signify credentials harvested by keyloggers.

Stage 2: Browser-session recorders.

Advertisement. Scroll to continue reading.

The next step of Proxy Trojan evolution is the malware’s ability to record complete browser sessions. This provides the hacker with the additional knowledge, for example, of PIN codes for debit cards, credit card numbers and answers to security questions. With this information at hand, a hacker can easily impersonate the victim at a later stage by “replaying” a user session. Zeus v2 for instance contains this capability. As uncovered in July, 100,000 UK computers are infected with this Trojan.

Stage 3: Man in the Browser (MitB).

These sophisticated Trojans are able to run in the context of the victim’s browser. This means that this breed of malware may be configured to inject HTML code into the browser’s requests and responses. In effect, the Trojan interacts in real-time with the bank and performs transactions on behalf of the logged-in victim – unknowingly to the user, or to the bank. Consider the following scenario: a MitB Trojan is installed on the victim’s machine. The victim, Bob, requests to transfer money from his checking account to a savings account. However, unbeknownst to Bob, Zeus alters the request to direct the transfer to an account in the Ukraine. When the bank requests verification on the transaction to the certain Ukranian account, once again Zeus interjects and modifies the bank’s response to match Bob’s request. Bob verifies and the bank proceeds to process the perceived genuine transfer request.

MitB in the wild

Most prominent Trojans, such as Zeus, Gozi, URLZone, Sinowal and SpyEye all have MitB capabilities. As one-time passwords and two-factor authentication mechanisms become more common among online banking applications, the credentials obtained by Proxy Trojans will become less effective. Consequently, attackers are starting to improve the autonomous capabilities of MitB code. The recent, and potentially costly, SilentBanker Trojan targeted more than 400 banks and had the ability to intercept banking transactions – even those guarded by two-factor authentication.

2011: MitB grows in sophistication

One 2011 security trend prediction that the security industry should watch out for is MitB. In the upcoming year we will see a few key developments:

• MitB attack sophistication will grow. This is just one more step in the evolution of malware as described above. As the security controls will set up to deal with the most current strain, hacker code developers will evolve their code to bypass these safeguards (see section on mobile, for example)

• MitB Trojans will continue to advance and target other online applications, not only banking applications. We are already aware of PayPal and eBay being targeted according to captured and analyzed configuration files. It’s only a matter of time where these MitB Trojans will target webmail and social networks.

• As these Trojans become more prevalent, we’re bound to see them featured in more browsers. In fact, MitB code which traditionally leeched on to IE browsers, is now starting to appear for other common browsers.

When MitB moves to mobile

It is not surprising then that banks are trying to defeat Trojans installed on unwary customers. One way is to use two-factor authentication, where the mobile provides the additional level of security. Before performing the transaction, the bank sends the user a mobile text (SMS) confirmation. But hackers have already found a way to bypass this new guard – Zeus Mitmo is the latest strain of Zeus targeted at mobile devices.


While avoiding infection by Proxy Trojans is presumably the responsibility of consumers, MitB attacks are quickly becoming a concern of online service providers. The actual rate of infection and the proliferation of the many types of MitB malware suggests that providers must be able to serve and protect those customers who may be infected with one type of malware or another. Just as the evolution of vehicle safety drove manufacturers- not consumers – to include devices such as ABS, Air Bags and ESP, online service providers will have to invest in mechanisms that allow them to do business with allegedly infected consumers. Helpful techniques include: strong device identification, client profiling, session flow tracking and site-to-client authentication.

Next Column

We are bound to see the growth of MitB Trojan sophistication throughout the upcoming year, including those targeting mobile devices. But mobile devices themselves hold a plethora of security vulnerabilities. As the popularity of these devices soar, we are going to see more threats to these devices. So stay tuned as I talk about what to expect in the upcoming year regarding mobile security.

 Related Reading > 2010 Device Integrity Report: U.S. Unprepared for Internet Device Flood

Read More of Noa’s Cybercrime Columns Here

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...