By Penetrating the Browser, Man-in-the-Browser Malware Can See Virtually Everything that an End-user Can See
Man-in-the-Browser or MitB malware has proven to be one of the most successful and profitable classes of malware in the history of the Internet. MitB malware such as Zeus and its many offshoots and competitors have historically focused on financial websites, where they silently steal money from their victims during the course of normal online banking sessions. However, in recent months MitB malware has been observed branching out of its traditional financial stomping grounds and into more generalized web applications.
Early this year, researchers from security firm Adallom discovered a variant of Zeus that was adapted to steal data from the victim’s Salesforce.com account.
This represents a significant development not only because the Man-in-the-Browser strategy has proven remarkably successful at defrauding even the most heavily secured web applications, but also because it is broadly applicable to abusing most any type of web application. You may have heard of MitB even though you don’t work for a financial institution. But you may not be aware of the details that make MitB so unique. With that in mind, let’s take a quick tour of what MitB is and why it so difficult to defend.
A MitB Primer
MitB malware infects users via all of the traditional avenues such as email attachments, malicious links, or by visiting an infected website. What makes Man-in-the-Browser exceptional is not its infection methods, but the sneaky ways it works on a compromised machine. Instead of running itself as an independent program, MitB malware acts as a parasite by injecting itself into the victim’s browser. Needless to say, the browser is a highly strategic position for an attacker to take up residence. By penetrating the browser, malware can see virtually everything that an end-user can see, and even more importantly can do virtually everything that an end-user can do with a browser.
At its most basic, MitB can easily capture a compromised user’s login and password for a particular website. However, keyloggers are a dime a dozen. What has set MitB apart in recent years is the fact that it can alter or emulate a real end-user’s interaction with a web application. In the financial world, this often means fraudulent money transfers or payments from the victim to the criminal. However, this strategy is equally applicable to virtually any web application functionality. Besides automating bank transfers, the malware can automate nearly any functionality of a web application, such as changing personal data or sending a message to friends.
It is important to note that because MitB malware is within the browser itself, it works regardless of whether the user session is protected by SSL or TLS. Again, most anything the end-user can see, the malware can see. Worse still, MitB can glide through any number of authentication steps (e.g., two-factor authentication). The malware simply rides along with the real end-user as they authenticate to the application, and begins malicious actions in the background once the user is granted full access. To the web application, the malware’s actions simply look like normal end-user behavior. In the case of the malware that targeted Salesforce.com, the attackers used Zeus as the framework and added crawler functionality to harvest data once the user was logged in.
Web Applications and the Client-Side Web
One of the keys to MitB’s power is linked to the evolution of web-based computing itself. In order to deliver the interactivity and functionality that applications demand, websites have adopted and become heavily dependent on JavaScript. These scripts run within the browser itself to implement the user interface functionality of a web application instead of forcing all such functionality to be delivered from the server. This is a very efficient and flexible approach and has become standard technology in all types of websites.
The problem is that malware in the browser can directly modify these client-side elements or inject content of its own without the user’s knowledge, and effectively change functionality. If the goal is to steal a victim’s social security number, the malware can inject a field for social security number into the application’s login form. Additionally, the malware can inject its own JavaScript as well in order to emulate actions performed by a real end-user. This is how Zeus and its cohorts generate fraudulent transactions during online banking sessions.
However, it’s important to recognize that this technique applies to most any type of web application, not just online banking. The fact that the technique has historically been focused on financial sites is simply a reflection of the extremely high value of those applications. Yet, the same concept applies to all types of web applications including SaaS-based applications, social media or any number of enterprise portals. In the same way we have watched APT techniques trickle down from nation-state actors to more opportunistic criminals, we should expect MitB to expand from financial services to all types of applications. Given the massive shift to web and cloud-based applications, we can certainly expect to see plenty more from MitB in the future. In my next column, I will dive into some of the best approaches to identifying and stopping man-in-the-browser malware.