If you’re entrenched with network security at your organization, you are most likely familiar with man-in-the-middle (MiTM) attacks. MiTM is a cybersecurity attack where the attacker injects himself in the middle of online communication between two parties. They can abscond certain information or potentially even change the communication itself to garner personal data. Today, while MiTM attacks are still a big concern, the security endpoint has changed to the browser, creating a man-in-the-browser (MiTB) threat that poses real danger.
Why the Browser?
In a recent article at Dark Reading – The Browser is the New Endpoint – by Rajesh Ranganathan, discusses how HTML5, while addressing earlier security threats to network endpoints, has opened the browser as the latest area of phishing concern with more robust Internet applications.
HTML5 has also created a thriving ecosystem of browser extensions that improve the experience of Chrome, Firefox, Edge, and other HTML5 browser users. With extensions, users don’t install full-blown software components on their devices. Instead, extensions install directly in the browser, typically enhancing the browser interface rather than introducing an additional user interface. In turn, end users can install and use extensions on their own, without IT support.
All modern browsers such as Chrome, Edge, Firefox, and Safari provide third-party developers the ability to enhance default functionality by writing custom code in the form of browser extensions. These browser plugins are not standard executables, but “apps” comprised of HTML, Style Sheets and Java Script code that runs inside browser memory. Once hooked into a browser, these plugins can use browser memory structures and resources to offer useful functionality.
Browser extensions by design have full access to most of the browser’s resources and information being entered and rendered within the browser. It wasn’t long before cybercriminals realized that injecting malicious code inside browsers disguised as benign looking browser extensions would not only give them unlimited access to all the data within browser, but also provide them with much needed cover from security systems that are designed to catch only malware executable and software exploits.
Because these plugins run inside browser memory, SSL encryption is not a problem for them. In order to bypass Two Factor Authentication (2FA), these plugins usually wait for the authentication phase to be completed before snooping on the authenticated session and stealing data to mount further attacks.
It’s not just browser extensions, however, that pose threats. Other browser vulnerabilities can include dynamically-loaded libraries loaded by Internet Explorer (as example) on startup. Or API-hooking where the MiTB inserts itself between an executable application (EXE) and its libraries (DLL). Finally, Javascript by means of a malicious Ajax worm.
What Do Man-in-the-Browser Attacks Look Like?
A couple of examples of a MiTB attack:
- A pop-up ad that invites the installation of a perfectly legitimate software – such as an ad blocker. Install the app and a week later it’s automatically updated with malicious code without your knowledge. You’re infected!
- You’re visiting a website and click a link that seems legitimate. Instead, infectious HTML code is loaded to your browser and you’ve inadvertently loaded “snoopware.” You’re infected!
- Phony looking updates to legitimate software that you’re using. We’ve all gotten recommended updates to your flash player before, right? You’re infected!
What Can You Do To Protect Yourself?
To address this growing problem, we’ve pioneered an entirely new, cloud-powered, adaptive approach to real-time, zero-page Phishing site detection. Instead of relying on outdated methods like domain reputation and URL analysis–which hackers can easily evade—we use live Session Emulation and patent-pending SEER™ detection technology to detect malicious sites in real-time.
By dynamically inspecting suspicious browsing contents and server behavior, we can detect previously unknown Phishing threats in seconds. Confirmed malicious URLs are immediately available as a dynamic block list for firewalls, DNS servers, or other blocking infrastructure. This approach enables us to stop complex zero-hour Phishing threats in real-time with the speed, power, and scale of the cloud.