Man-in-the-Browser

Man in the Browser refers to malware that reside inside the browser and can capture login information or modify transactions. Most of the recent malware use man in the browser techniques.

Theoretically there isn’t much difference between a man-in-the-middle and a man-in-the-browser attack. In both attacks the fraudster sits between the consumer and the website and controls everything that flows between the two. Technically, the two attacks use different methods. A man-in-the-middle attack uses a proxy server that relays traffic between the consumer and the website while a man-in-the-browser malware sits inside the browser and controls traffic the goes in and out of the browser.

Malware can get inside the browser using three main techniques: browser add-ons, manipulation of the browser's DOM interface, and code injection into the browser's process.

Browsers such as Microsoft Internet Explorer and Firefox offer technology that allows adding software components (add-ons) into the browser. Add-ons can control everything that happens within the browser. Add-ons are usually used to add features (for example: extra toolbars, animated mouse pointers, stock tickers, and pop-up ad blockers) to the Web browser. Many add-ons come from the Internet. Most add-ons from the Internet require the consumer to provide permission before they are downloaded to the computer. Some, however, may be installed without the consumer’s knowledge. Although this technology was created to add useful features to the browser, it is also used by fraudsters to perform malicious activity such as stealing sensitive information, injecting transactions into authenticated sessions, and changing information the consumer sees.

But add-ons are not the only way to get into the browser. Any application (including malware) on the consumer's desktop can get an external reference to open browser windows and access the browser, a technique known as browser DOM interface manipulation. Once the malware has the reference it can control the browser and read information, inject transactions, and control the session.

Another common way to get into the browser is using injection techniques. The malware can inject itself into the browser's process and once it is there it fully controls the browser.

Sample Attacks

• Password-Stealing Trojan Disguised as Firefox Extension
• New Trojans plunder bank accounts
• Internet Explorer BHO Trojan
• Hackers Manipulating Internet Explorer Add-Ons
• Financial firms suffer most Trojan attacks

Rapport uses its API blocking layer to defeat man-the-browser attacks. Rapport controls the communication between add-ons and the browser. An add-on tries to perform an unauthorized operation such as read passwords or inject transaction during a session with a Rapport protected website is blocked by the API blocking layer. The communication between any application on the desktop and the browser is also controlled by Rapport any attempt to interfere with the communication and access unauthorized information is blocked. Lastly, the API blocking layer prevents malware from injecting itself into the browser's process.

Rapport protects against all man-in-the-browser attacks, regardless of the technology they implement to access the browser.

Other approaches to man-in-the-browser protection are based on a scanning engine that scans the consumer’s desktop and looks for malware. This approach is used by anti-virus and anti-spyware solutions. The problem with this approach is that it requires building a complete list of all bad software, a practically impossible mission due to the large numbers of malware and their rapid distribution.