Web browsers are repositories that contain a significant amount of personal information, including credit card numbers and passwords. This makes the browsers a prime target for hackers to perpetrate main-in-the-middle (MitM), man-in-the-browser (MitB) and browser-in-the-browser (BitB) attacks.
In a man-in-the-middle (MitM) attack, the attacker inserts themselves between their target victim and the targeted website with the intention to steal sensitive personal information. Man-in-the-browser (MitB) attacks are a variation where malware infects the target victim's device and displays a phishing copy of the original website in the victim's browser to gather sensitive personal information.
Lately, we've been seeing a new variation of the MitM attack - the browser-in-the-browser (BitB) attack. BitB attack is a coding ruse that manipulates users into clicking on fraudulent third-party single sign-on (SSO) options embedded on websites, where they emerge as pop-ups for authentication.
How does the man-in-the-browser (MitB) attack work?
While MitM attacks rely on interception and decryption of fraudulently procured data, MitB onslaught uses a Trojan to infect the system’s software, such as OS or an application (browser). The attacker programs the Trojan to install an extension, which launches the moment a user restarts the browser. This extension registers a handler to scan the URL of every page load against a list of sites primed for attack.
The moment a page load matches a pre-configured list by the hacker for a strike, the handler will register a button event handler — which, when pressed by an unsuspecting user, extracts all data from the form fields through the document object model (DOM) and modifies it. The browser then acts at the behest of the extension and submits the modified form to the server, which carries out the transaction and issues a receipt to the browser.
The moment the browser receives the receipt, the extension again modifies the form data to resemble the one authenticated by the user. The result is that the user gets tricked into thinking that the receipt is for the original transaction. This method is increasingly finding favour with hackers pursuing financial frauds over banking channels.
Learn more about safeguarding against malicious extensions
How to detect man-in-the-browser (MitB) attacks?
Detecting a MitB attack is difficult because the Trojan does not leave a trail like a new process or a manipulated URL. However, you can implement safeguards like authentication and tamper detection.
A corporate security policy should consider installing bespoke certificates for web browsers on workstations to analyze encrypted communication. Such certificates mostly issue a green padlock to indicate the client has successfully authenticated with a corporate server/proxy using SSL/TLS encryption standards, instead of a distant server.
Latency analysis has the potential to detect assaults in specific instances. Parties can look for differences in response times to detect potential assaults. If a transaction takes more than usual time to complete (latency), it is symptomatic of third-party interference.
What are browser-in-the-browser (BitB) attacks and can you detect them?
In BitB, a hacker implants a fake SSO onto a legitimate website. Again, the attackers do not tamper with the URL and use HTML/CSS to create the pop-ups. Once the user lands on the page, which retains its ‘HTTPS’ encryption standard, the hackers can persuade them to part with their credentials by asking them to click on a fraudulent third-party SSO option for authentication.
Detecting a BitB is very difficult in that it does not tamper with the URL and leads the user into believing that the TLS/SSL encryptions secure the site. Having a sound password manager, which does not readily autofill details, is a way to negate the effects of BitB. In addition, having an MFA protocol, can help mitigate the risks.
What is the main difference between BitB and MitB?
MitB requires the hacker to compromise the browser through a Trojan to intercept and manipulate communications whereas, in a BitB attack, a hacker simulates a browser within a browser through a fraudulent version of a pop-up.
Browser-based attacks are on the rise, given their stealth and effectiveness in duping users. While authentication and tamper detection can help mitigate some of the risks, organizations need to go beyond these measures and consider deploying browser-based certificates and implementing Multi-Factor Authentication (MFA) protocols to protect themselves against these threats.
A solid penetration test can also help identify vulnerabilities in your network and systems and help protect you from these types of attacks. Contact the Packletlabs team today!