Pin Me

That Man in the Browser (MITB) can kill you

written by: Ashwin Satyanarayana•edited by: Rebecca Scudder•updated: 8/15/2008

Virus threats have evolved over the years and have now taken up complicated forms and have myriad ways to cause harm to our PCs. One such form is Phishing -- specifically, a Man In the Browser( MITB) attack. Read this explanation of the MITB attack and what can be done to prevent such attacks:

  • slide 1 of 3

    You have read ad nauseam that Virus makes news; spam is inevitable and that threats are, well… threats. The trends, however, say that we are all going to be fried deep brown if we don’t watch our backs. From receiving innocuous messages that tempt you to bite the proverbial sin apple, to stripping you of your shirt by sending you emails that can literally kill your throbbing heart in one stroke-thanks to that phishing attack, you are at the unflinching mercy of fraudsters who are more than happy to lap up your personal information (financial information, more than anything else). Thankfully, arming yourself with tons of knowledge is the first step towards safety and we will even discuss some very specific tools to help combat MITB attacks.

    There is a Man in the Browser:

    Here is a brand new – I almost fainted at the thought of this being even a remote possibility – security threat that can single handedly close down the very sanctity and purpose of the Internet as a platform for e-commerce. MITB (Man in the Browser) is an attack Trojan that intercepts the transaction happening between the user and a banking/financial/trading/ e-commerce website, at the browser level on the user’s computer.

    How the heck can this man be so deadly?

    He can literally slit your throat, that’s why. The MITB attack program manifests itself in the browser of the user’s computer and is not even noticeable by the user herself. It is a stealth mode and hence makes it impossible for you to take note of the fact that this program is helping you to lose your shirt. This program is capable of altering the data entered as a part of the transaction and also the browser’s security system.

    It is lethal and dangerous because while you enter data in the input fields on the website’s page, the hidden browser object ( the malicious Trojan) actually generates another set of data ( relevant to the phisher’s needs) and you have no inkling of this as everything appears to be normal for you. Even the payment gateways- the security protocols or the certificates that come with the website you are transacting on- won’t be able to notice the malicious activity simply because from the website’s view point, data is being entered- and that doesn't flag the codes that trigger alarms of any sort.

    This insidious attack can hence, initiate any kind of fraudulent transaction, attack your online details, plunge you into a financial darkness and wreak havoc with your life.

    For instance, an MITB attack can literally modify the recipient’s bank account number (to a number that reflects one of the phisher’s/hacker’s own accounts) to siphon the money that you are sending. You don’t know this is happening since there is no way you can see it happening. After the transaction, you see it since it shows up in the transaction log, but it is too late to recover the money. In late October 2006, it was reported that two large brokerages in the United states were attacked in this manner and effectively managed to embezzle about 22 Million US dollars.

    Is it still relevant now? More than ever! The Anti-Phishing Working Group (APWG) has logged (The APWG report, January 2008) a whopping 30,000 unique phishing cases; some 364 cases of key logging crime ware installation reports (up by 1.4% from the last year’s high in October 2007); and over 130 brands in the US have that have been attacked by phishers. A whopping 92.5% of the financial industry suffers phishing attacks and this is closely followed by ISPs (3.8%), the retail Industry (1.5%) and Government and miscellaneous sites (about 2.3%). Phishing is everywhere, isn't it?

    How to Prevent an MITB attack?

    There are various tools available, especially to protect online transactions. One such great tool is the TriCipher Armored Credential System (TACS) which is a complete credential verification and unified authentication set-up that prevents fraud and identity theft by creating, issuing and managing several low-cost, easy-to-use credentials. The remarkable thing about this protection tool is that it follows a multi layered approach to check fraud.

    For instance, at first, it delivers an easy interface for the user wherein she just sees a system that just asks for her username and password. However, the patented Tricipher system has a protected ID vault which has these credentials stored in that vault. Now to for the transaction to happen, both of these credentials - the ones input and the ones stored in the ID vault, must match. It is hence impossible for a fraudster to just install some software in your browser and alter the credentials because the transaction won't happen if the data input doesn't match.

    The TriCipher System takes the protection one step further by adding even more layers of protection by using tools and protocols like Smart tokens, extra passwords, biometric USBs, etc.

    MITB attacks can get even more complicated in the future and the way to surmount this would be to do the following:

    1. Read up on the following articles given below
    2. Read up more elsewhere and learn as much as you can
    3. Use the tools recommended here or elsewhere and ensure that you invest in them to safeguard your system/organization.

  • slide 2 of 3


    man In the browserman In the browserman In the browser