Concepts against Man-in-the-Browser Attacks

By | December 3, 2006

A new threat is emerging that attacks browsers by means of trojan horses. The new breed of new trojan horses can modify the transactions on-the-fly, as they are formed in in browsers, and still display the user´s intended transaction to her. Structurally they are a man-in-the-middle attack between the the user and the security mechanisms of the browser.

Distinct from Phishing attacks which rely upon similar but fraudulent websites, these new attacks cannot be detected by the user at all, as they are use real services, the user is correctly logged-in as normal, and there is no difference to be seen.

The WYSIWYG concept of the browser is successfully broken. No advanced authentication method (PIN, TAN, iTAN, Client certificates, Secure-ID, SmartCards, Class3 Readers, OTP, …) can defend against these attacks, because the attacks are working on the transaction level, not on the authentication level. PKI and other security measures are simply bypassed, and are therefore rendered obsolete.

The new trojan technology is technically more advanced than prior generations by way of combining Browser-Helper-Objects, Browser Extensions, and direct Browser manipulation

As of time of writing, it is known that are Firefox and Internet Explorer are successfully targetted, both on the Windows Platform. A similar attack of other browsers and other operating systems is likely just a question of time and „demand factors“. Any sufficiently large userbase will likely be attacked. techniques.

Currently this technology seems to be only in the hands of financial fraudsters. It is currently hightech, and high-priced, with very limited distribution. The time-to-market for active attacks is estimated to be 3 days. Only targets of significant financial value have a worrying risk of being attacked with this technology in the near-term.

Click here to download the full paper

Leave a Reply