Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New “Universal” Man-in-the-Browser Attacks Collect Data Submitted to All Sites

Researchers have discovered a new type of Man-in-the-Browser (MItB) attack that is Website independent, and does not target specific Websites, but instead collects data submitted to all sites.

This “universal” MitB attack, discovered by researchers at Trusteer, is different from traditional attacks, as it speeds up how data is stolen and may be used in automated campaigns.

Researchers have discovered a new type of Man-in-the-Browser (MItB) attack that is Website independent, and does not target specific Websites, but instead collects data submitted to all sites.

This “universal” MitB attack, discovered by researchers at Trusteer, is different from traditional attacks, as it speeds up how data is stolen and may be used in automated campaigns.

Man In the Browser Attack ScreenshotIn a YouTube video (embedded below), the company demonstrated how the attack could happen. The video showed how a user could enter personal and financial information in a Web form on multiple Websites. After submitting the forms, the video showed a screenshot of the console used by the cyber-attacker. The console displayed the credit card data harvested from those sites, in what appears to be real-time data extraction.

“uMitB’s ability to steal sensitive data without targeting a specific Website and perform real-time post processing removes much of the friction associated with traditional MitB attacks,” Trusteer wrote.

Traditional MitB attacks generally are triggered when the victim computer is infected with malware that can view all the data entered using the Web browser. Traditional attacks typically collect data such as login credentials, credit card numbers, and other sensitive pieces of information as they are entered into a specific site, such as an online banking portal or the login page of a Web service. Generally the malware has a specific list of Websites it is monitoring for data entry.

Harvesting data from other sites, or additional fields on the targeted site, generally requires some form of post-processing on the attacker’s side to parse the logs to extract the valuable data. That’s not to say that doesn’t happen, since parsers are easily available for purchase in underground markets, and some criminals simply sell off the logs in bulk to other criminals interested in the information, according to Trusteer.

However, universal MitB attacks don’t bother with a list of targeted sites but monitor any and all sites loaded in the Web browser, Trusteer found. It detects data entered in the browser regardless of the Website and uses “generic” real-time logic to parse each piece of information and save the relevant items when the form is submitted, according to Trusteer.

The stolen data is stored in a console controlled by the attacker before it is sold off to other criminals interested in the data, or used in other operations.

Captured Data in Man In the Browser Attack

The ability of universal MitB malware to perform real-time processing on data being entered is “significant,” Trusteer said. One possible scenario has criminals automating credit card fraud by using universal MitB to steal credit card numbers and then feeding the freshly stolen information to carding sites.

Advertisement. Scroll to continue reading.

“The impact of uMitB could be significant since information stolen in real-time is typically much more valuable than “stale” information, plus it eliminates the complexities associated with current post-processing approaches,” Trusteer said.

It appears that existing victims, those with machines already infected with the MitB malware, are susceptible to this new method of attack as soon as the malware gets updated with new configuration settings.

The best protection against these kinds of man in the middle and other fraud attacks is to secure the endpoint against malware, Trusteer recommended.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.