What Is a Man in the Browser (MitB) Attack? How To Prevent It?

Javed Shah

Network attacks, while not as common as other typical hacks, still pose a significant threat to a world of always-online business. Specifically, a network snooping attack like Man-in-the-Browser (MitB) can leverage weaknesses in web browsers to steal network communications and spoof user credentials.

What Is a Man-in-the-Browser Attack?

A man-in-the-browser attack is a threat where an attacker inserts malware into a victim’s web browser through an infected app, plugin, or extension. The primary goal of this type of attack is to intercept and change the data exchanged between the user’s browser and the websites they visit, typically for financial gain or to steal sensitive information.

These attacks work through the following basic steps:

  • Infection: The attacker first infects the victim’s computer with some form of malware, typically a trojan, an infected plugin, and/or a file opened by the user via a phishing attack. See the list of prominent MitB trojans below.
  • Monitoring: Once the victim’s computer is infected, the malware is installed and may remain dormant until the user accesses a targeted website (e.g., a bank). Since the malware often integrates with the browser as a plugin or an extension to avoid detection and will not trigger traditional anti-malware software; thus, the user may never know that someone is intercepting data. When the user visits a targeted website, the MitB malware becomes active and monitors the user’s interactions with the website, such as login attempts, form submissions, or transactions. It may also inject malicious code into the web pages to modify their content or behavior.
  • Data Interception: As the user enters sensitive information, such as login credentials or financial data, the malware intercepts, stores, or transmits it to the attacker. It can also manipulate the data sent to the website or modify the data received from the website with no one the wiser.
  • Man-in-the-Middle: The malware communicates with the attacker’s server to send intercepted data and receive further instructions. This enables the attacker to adapt the attack as needed, meaning straightforward data interception or, in more advanced cases, spoofing bank requests to steal money from the user’s account.

Common Trojans Used in Man-in-the-Browser Attacks

Several common Trojans have been used in man-in-the-browser (MITB) attacks. These Trojans are typically designed to target browsers on specific operating systems, like Windows, leveraging common weaknesses to integrate with critical system functionality.
Some of the more notable Trojans include:

  • Zeus: Zeus, aka Zbot is one of the most well-known and widely distributed banking Trojans. It targets Windows-based systems, is designed to steal sensitive data, and includes tools like keystroke loggers and form grabbers. Zeus is highly customizable and has been used as a base for developing other Trojans.
  • SpyEye: SpyEye is another notorious banking Trojan that targets most major browsers (Chrome, Internet Explorer, Firefox) on Windows systems. It emerged as a competitor to Zeus and is known for its advanced features, like auto-fill credit card tools and the ability to spoof HTTPS access and grab information across FTP and POP3 protocols.
  • Citadel: Citadel is a variant of the Zeus trojan that targets password managers. It is equipped with additional features, such as the ability to record video of the victim’s screen and an advanced keylogger.
  • Gozi: Gozi is a banking Trojan that targets Windows systems and is known for its advanced web injection techniques that extend into multiple attack vectors, including banking fraud, eCommerce fraud, ransomware, and compromising Point of Sale (POS) devices.
  • Torpig: Torpig is a sophisticated Trojan and botnet that targets Windows-based systems and is designed to steal sensitive information, such as login credentials, credit card numbers, and email account details.

How Can I Prevent MitB Attacks?

To defend against MITB attacks, users should practice good cybersecurity habits that apply to most other security concerns.

Preventing man-in-the-browser (MITB) attacks requires a combination of good security practices and awareness. Here are some steps you can take to protect yourself from MITB attacks:

  • Update Your Browser and Plugins: Regularly update your web browser and plugins whenever they ask you to. It is convenient to ignore update warnings, but these patches will often fix vulnerabilities that MitB attacks take advantage of.
  • Enable Two-Factor Authentication (2FA): Out-of-Band (OOB) authentication, or using two communication channels to authenticate, can mitigate MitB attacks. Use 2FA for sensitive accounts, such as online banking and email.
  • Don’t Download Attachments or Click Links: Avoid opening attachments or clicking on links in emails from unknown or suspicious sources in cases where phishing attacks could hijack your browser. In general, you should only download files from trusted sources and never install software from the web on business machines.
  • Review Browser Extensions: Regularly review the extensions and plugins installed in your web browser and remove any that are no longer needed or come from untrusted sources.
  • Adjust Browser Settings: If not necessary, disable JavaScript, Flash, or other plugins on untrusted websites, enable automatic updates, and block pop-up windows.

What Is the Difference Between Man-in-the-Browser and Man-in-the-Middle Attacks?

Both man-in-the-browser (MITB) and man-in-the-middle (MITM) attacks are forms of “adversary-in-the-middle” hacks. They involve intercepting and potentially manipulating data exchanged between two parties. However, they differ in their methods, points of attack, and scope.

  • Man-in-the-Browser Attack: An MITB attack injects malicious software (malware) into a victim’s web browser. The malware typically exploits vulnerabilities in the browser or its plugins to intercept and manipulate data exchanged between the browser and the websites the user visits. MITB attacks usually focus on specific websites or applications, such as online banking or e-commerce websites. The goal is typically to steal sensitive information (e.g., login credentials and financial data) or manipulate transactions.
  • Man-in-the-middle (MITM) Attack: In a MitM attack, the attacker positions themselves between the victim and the server (e.g., a website, an email server, or a Wi-Fi network). The attacker intercepts and potentially modifies the data being exchanged without the knowledge of the victim or the server. MITM attacks can target various network communications, including web browsing, email, instant messaging, and file transfers. The attacker can potentially access or modify any data transmitted between the victim and the server.

Utilize 1Kosmos Multi-Factor Authentication to Avoid Man-in-the-Browser Threats

One of the strongest repellants to MitB attacks is a strong 2FA or MFA implementation, one that users can onboard and adopt simple and streamlined with their existing technology and workflows.

With 1Kosmos, you can strengthen authentication security and identity management with the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Sign up for our newsletter to learn more about how BlockID can support real security and help mitigate phishing attacks. Also, make sure to read our whitepaper on how to Go Beyond Passwordless Solutions.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.