Monkey-in-the-middle Web Browser Attacks

My kids like playing monkey-in-the-middle, a game where one person stands between two others and tries to intercept a ball thrown across the middle. In the realm of cyber security there is nefarious attack similar to this children’s game termed  “man-in-the-browser.” Man-in-the browser is being used to successfully bypass authentication mechanisms used by online banking sites and hack into customer accounts.

The attack works like this: a user on their bank’s website enters  his  user name and PIN into the site. As the web page is being rendered, a piece of software now resident in your browser (a trojan unknowingly downloaded) wakes up and inserts a few additional lines into the code – maybe five lines of javascript – an alert box, a timer function, and maybe some in-page content -and sends a message to the criminal.

What happens next looks perfectly normal. Upon loading, the alert box pops up – and says “Server synchronization in process… please be patient,” or something to that effect.

Except at that moment, as you check the incoming messages on your BlackBerry, and sip that morning cup of caramel brulee latte, secure in the knowledge that these sophisticated systems and occasional waiting periods are the “price of modern security,” a hacker somewhere is receiving a timely message that you have started an authenticated session and are ready to transact. At this point, using the credentials contained in the message the criminal can simply log in as you.

Imperva, a data security firm, predicts that these type of attacks will be among the top ten security threats with increasing incidences in 2011. So what can you do?

Part of the frustration with a man-in-the-browser attack is that the bug is very hard to detect and even harder to remove from the system. Unlike many other forms of intrusive viruses, a man-in-the-browser trojan operates between the browser security protocols and the input of the user. This means that standard security measures normally will not even reveal the presence of the man-in-the-browser virus.

One of the most effective methods in combating this attack is through an out-of-band (OOB) transaction verification process. This overcomes the man-in-the-browser trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call.  

The bottom line is this – no matter what you see going on during your session, if you see something “different” or unexpected happening during your online banking session, close your browser immediately, and call your bank or online broker.