Web Pages Injection and Tempering
Fraudsters use Man-in-the-Browser (MitB) malware to capture data or social engineer users into surrendering login credentials and other sensitive information. Man-in-the-Browser malware infects the end user’s device and injects new HTML into web pages served by the web server and captures information directly from the browser memory.
MitB web injection techniques seamlessly integrate into the web application look and feel and retain the original URL and SSL protections. For all intents and purposes, the injected page looks like an original page served by the bank and can truly challenge even the most sophisticated, security-aware end users.
Some MitB attacks inject additional fields to the login page to capture additional information from the victims. Figure 1 below shows a screen capture, taken from real malware attack, that added two fields to the login screen of an online banking site: “Generated Token Password” and “Wire Pin.”
Figure 1: Added Fields to Online Banking Login Page
Many malware configurations leverage MitB attack to inject an entire page (or sequence of pages) that are designed to social engineer the end user into providing information or performing an action. Figure 2 shows a screenshot of a real web inject into a popular web site. Unsuspecting users are encouraged to enter sensitive personal information (in this case, credit card data) under the pretense of “extra security measures.”
Figure 2: Social engineering with full page injection
MitB malware leverage browser add-on, Document-Object-Model (DOM) interfaces and patch browser executable files to gain access to application data. To protect against MitB attacks, organizations need to ensure browser interfaces are not maliciously accessed or tampered with and that the end users' devices are free of MitB malware.