Man in the Middle (MitM) attacks occur when a cybercriminal comes between the user and their application. In these attacks, a hacker will hijack the application to steal credentials or open a backdoor to their network. These attacks are very dangerous because often, the victim does not know they have been compromised, and detecting them can be very difficult. The primary goal of these attacks is to collect and sell your data.
Cybercriminals use malicious browser and app extensions, HTTPS spoofing, SSL hijacking, and WiFi eavesdropping to hack into your private data. In fact, a recent notable WiFi spoofing attack happened when Russian GRU agents tried to hack into the office of the Prohibition of Chemical Weapons at the Hague.
One popular type of MitM attack is Man-in-the-Browser (MiTB), a malicious browser extension developed to avoid detection. Cybercriminals realized that injecting malicious code inside browsers disguised as benign-looking browser extensions would give them unlimited access to all the data within the browser. It also provides them with much-needed cover from security systems designed to catch only malware executable and software exploits.
By design, once a browser extension is installed, it can access the browser’s complete canvas. Once logged in, a session can be hijacked to capture whatever is rendered on the computer screen, including user credentials. These extensions have the full power to do whatever the user is doing and see whatever is happening within that browser window.
Because these plugins run inside the browser memory, SSL encryption and two-factor authentication (2FA) can be bypassed by waiting for the authentication phase to be completed before snooping on the authenticated session and stealing data to sell or mount further attacks. While MiTM attacks are still a big concern, the security endpoint has changed to the browser, and man-in-the-browser threats pose a real danger.
What Do Man-in-the-Browser Attacks Look Like?
A couple of examples of a MiTB attack:
- A pop-up ad invites the installation of perfectly legitimate software – such as an ad blocker. Install the app, and a week later, it’s automatically updated with malicious code without your knowledge. You’re infected!
- You’re visiting a website and clicking a link that seems legitimate. Instead, infectious HTML code is loaded to your browser, and you’ve inadvertently loaded “snoopware.” You’re infected!
- Phony-looking updates to legitimate software that you’re using. We’ve all gotten recommended updates to your flash player before, right? You’re infected!
What Can You Do To Protect Yourself?
So how do you know if it is a problem in your organization? Start by assessing the attack surface in your organization. Here are a few questions: Where are your employees protected? Are they protected when accessing URLs on their browser or their mobile device? Are your users protected from zero-hour threats in real time? Answering no to these questions can indicate your users and the organization is at risk.
A cyber readiness plan to protect against multi-channel phishing attacks should include people, processes, and tools. Communicate about the risk of browser-based phishing attempts. Educate users about preventative strategies for identifying social engineering tactics and suspected compromises. Implement an abuse inbox, and enable alerts for suspicious activity, such as foreign logins. Install security tools that leverage AI and computer vision to detect and block malicious zero-hour threats across email, web, and mobile.