Man-in-the-Browser Attack (MITB): Definition & Defense
About half of all Americans say online banks give them perks that can't be matched by a brick-and-mortar bank. They head online to do all their banking. While there are many benefits to online banking, consumers have to protect themselves against hackers.
One type of attack to watch out for is a man-in-the-browser attack.
A man-in-the-browser attack begins with malware. You download the virus, and the program takes advantage of parts of your browser system. Then, it modifies content or authorizes transactions. You may not see this attack as it unfolds.
Let's dig deeper into this form of attack. We'll provide critical tips you can use to strengthen your MITB security.
What is a man-in-the-browser attack?
During a MITB attack, a hacker steps into the conversation between your computer and a server. The hacker sees the data as it passes back and forth, and they can intercept and manipulate notes before releasing them to another party.
This could have a wide variety of consequences. For example, a recent report showed that a hacker could use a MITB attack to entice engineers to make biological weapons. It might look like this:
- A bioengineer opens a line of communication with a DNA synthesis company.
- The engineer sends a code of sequences as an order.
- The hacker intervenes and grabs the message.
- The hacker changes the sequences.
- The company makes the altered item, and neither side knows that anything has been changed.
A MITB is similar to a proxy Trojan attack. Here, a hacker takes over a victim's computer and intercepts all notes before releasing them to the intended recipient.
Man-in-the-browsers attacks have a lot in common with boy-in-the-browser attacks. Boy-in-the-browser attacks are less critical and involve changing the computer's routing path. It's harder for hackers to perform a large-scale theft with this tool.
How do man-in-the-browser attacks work?
No hacker can step into your conversations without one subtle mistake made on your side. It's that error that sets the entire project in motion.
A hacker needs you to download malware that they can manipulate to start the attack. Some hackers use a form of social pressure to get you to download their malware. You might see a post or a link that seems like it's trustworthy since it comes from or is connected to someone you know. But that person has been hacked, and as part of the hack, they share a post inadvertently.
Once malware starts running, MITB hackers manipulate items that make your browser work. Those pieces include:
- Extensions
- Helper objects
- API hooking
- Javascript
You can turn off some of these items. For example, Javascript can help to spur a malicious Ajax worm. You can ensure that your browser doesn't run files like this. But some items hackers manipulate simply can't be turned off.
MITB security basics
Your financial conversations should remain private and protected. No one should be able to intervene between you and your bank. But protecting your valuable data from MITB attacks isn't always easy. You may need a multipronged approach.
Known solutions include:
- Using a secure browser. Some browsers come with protections against hacks like this.
- MFA, or out-of-band (OOB) transaction verifications. During an OOB transaction, details are verified with a second channel in addition to a web browser. For example, your bank might send a notice to your phone to confirm the data you entered before the transaction goes through. MFA is a type of OOB verification.
- Keeping software up-to-date. Antivirus software can catch some forms of malware as it hits your computer. But you'll need to update the software as often as possible. Older versions of software may not come with robust protections.
Help from Okta
Your best defense against hackers is a good offense. Learn how Okta can help secure your digital interactions.
References
Online Banking Isn't Just for Millennials Anymore. It's Quickly Becoming the Norm. (November 2019). Business Insider.
Cybersecurity Flaws Could Lead to Biological Attacks: Report. (December 2020). Infosecurity Magazine.
Man-in-the-Browser Attack. OWASP.
Protecting Against Man in the Browser Attacks. (December 2016). BetaNews.
New HTTPS-Only Mode Offers Secure Browsing to Firefox 83 Users. (November 2020). Security Boulevard.