'Man in the Browser' malware defeats banks' two-step online authentication

By on February 7, 2012, 11:30 AM

A new breed of malware called a Man in the Browser (MitB) attack can successfully bypass a bank’s two-step online authentication process. In most cases, the victim isn't even aware their account has been compromised until it's too late.

Once the malicious code finds its way to your computer, it lays dormant until the user navigates to a specific website – a secure bank. During the typical log in process, the malware is activated and acts as a middleman between the user and the bank’s website. Most variants will ask the victim to reenter their credentials as part of an “enhanced security measure.” If the victim falls for this prompt, the attacker then has full access to the bank account.

Once inside, the attacker can perform a number of dastardly deeds such as spoofing balances, changing payment details and even hiding records of money transfers.

The BBC points out that even if you have the latest anti-virus software and follow your bank’s official advice, the malicious code could still find its way to your machine. During their own in-house testing, they found that the majority of web security software on standard settings didn’t detect the malware, even when it was activated. Results were much better when products were set to maximum security, but this blocks many legitimate programs as well.

"The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking," said Daniel Brett, of malware testing lab S21sec. "[Although] many products won't pick this up, they've got a much bigger scope; they're having to defend against all the viruses since the beginning of time."

The best defense at this point is to keep your anti-virus up to date and take note of any unusual behavior when logging into your bank account online.

Image courtesy Valerie Potapova / Shutterstock.




User Comments: 21

Got something to say? Post a comment
cliffordcooley cliffordcooley, TechSpot Paladin, said:

Once the malicious code finds its way to your computer, it lays dormant until the user navigates to a specific website

Wouldn't that suggest the attacker knows you and which websites you visit?

Guest said:

This and other malware is why I don't do financial transactions online. I would think by now that banks (or someone) would come up with a live boot CD/USB that uses a hardend OS/Application to access the bank. Simply boot off the CD/USB do your transactions and then boot back into your standard OS. I think for most of us that would work as you usually don't have to access the bank on a daily basis.

motrin said:

so does this thing track key strokes? I log in w/ on screen key board lol would I be okay??

bexwhitt said:

From what I Gather the gist is the malware puts up an extra dialogue and expects you to put in your full memorable phrase in, something your bank would never ask as it defeats the point of having the drop down input.

So if your browser asks you to enter your memorable phrase in plain text you are probably need to not use your computer for online banking

Xero07 said:

cliffordcooley said:

Once the malicious code finds its way to your computer, it lays dormant until the user navigates to a specific website

Wouldn't that suggest the attacker knows you and which websites you visit?

I think it probably has a list of bank urls that it attempts to match.

TomSEA TomSEA, TechSpot Chancellor, said:

Good info - thanks for the heads up. Just passed this article on to all my friends.

Guest said:

Xero07 is right on the spot. When an infected computer goes to a website, the malicious code does a quick check to see if it is on a list of know bank sites. If it is, the fun begins.

This stuff is getting very sneaky. The latest versions of these progams will actually add extra fields to the login page making it look like your bank is now asking for additional information. They typically ask for SSN, ATM PIN, and phone number. The look-and-feel of these new questions exactly matches the original prompts. Unsuspecting users will think the bank is just asking for that stuff as added protection.

The greatest problem is that everyone keeps thinking that as long as they have anti-virus installed, nothing bad will happen to them. Anti-virus is very reactive. If a new malicious program comes out, the anti-virus may not recognize it for a long time... long after it has done damage.

Guest said:

Betcha China has something to do with this . . . .

Burned said:

I use this when doing my online banking

http://www.spi.dod.mil/lipose.htm

treetops treetops said:

Why do I think this is made by those people from my bank that call me every other day to offer account protection? No wells fargo I do not want free 3 month account protection!!!!! Iv even cursed at them they won't stop calling I am closing my bank account soon.

Guest said:

Where do these guys get this new malware from for testing?

If it's out there & available, surely the anti-virus packages must get updated quick smart!

MrAnderson said:

It would have been nice to mention the usual ways the bad code has been recored to enter a system... it doen't just walk on??

Guest said:

So basically, "Reminder, don't do banking online."

K got it ^.^

Guest said:

This and other malware is why I don't do financial transactions online. I would think by now that banks (or someone) would come up with a live boot CD/USB that uses a hardend OS/Application to access the bank. Simply boot off the CD/USB do your transactions and then boot back into your standard OS. I think for most of us that would work as you usually don't have to access the bank on a daily basis.

o_O

This would cause everyone to stop using their banks from the computer in the first place!

Heck, they would probably abandon banks that did this kind of thing.

It might work for high security places such as military or highly secret corporations, but for consumers... forget it. Not ever going to happen, I will bet.

Guest said:

My bank in Australia has a little toggle the size of a USB stick. It runs 6 numbers for a 4 minutes. You have to enter the numbers...the bank on the other end matches the said numbers also in the 4 minutes on your toggle. Then the numbers change. If they match the transaction goes through. The little toggle DOES NOT go into your computer. How the bank knows my toggle number is beyond me....and the crooks.

Lionvibez said:

Guest said:

My bank in Australia has a little toggle the size of a USB stick. It runs 6 numbers for a 4 minutes. You have to enter the numbers...the bank on the other end matches the said numbers also in the 4 minutes on your toggle. Then the numbers change. If they match the transaction goes through. The little toggle DOES NOT go into your computer. How the bank knows my toggle number is beyond me....and the crooks.

Actually sounds similar to how an RSA token works for remote access into your companies systems.

MrTomTom said:

The online banking web interface I'm used to never ask my PIN (required for multi-factor auth) and certainly never will. The day it does ask my PIN I'll probably freak out and restore a clean backup.

Guest said:

Just 2 days back I cleaned my laptop which had Zeus / ZBot, one of the first financial malwares. Normal antivirus programs dont even detect them. The malware actually blocked opening websites like malwarebytes.org which can clean them. I had to download it another pc and transfer it using USB stick and then clean it up.

I changed the passwords for all my onine accounts including email accounts, deactivated my transaction grid and requested for new ones, rechecked my contact details in every account... the weekend was hectic. And I poured over the internet content on how to do safe online banking. The tips I found.

1. Dont do casual browsing & online banking on the same pc/laptop. In the least use use sandbox software like sandboxie for casual browsing.

2. If you have only one PC, use a linux based live cd to do online banking. This is by far the safest method.

3. Zeus, spyeye etc are hard to detect (statistics is only 23% infections are detected) can even modify your account statements, transactions, balances etc on the fly in your web browser so that it takes a long time before you realize that you have been robbed. So always opt for a hard/soft copy of the statement from your bank and reconcile your statements once or twice a month.

xempler said:

I find the best way to keep yourself secure is to use a old laptop or computer ONLY for online banking. Reformat it, install your anitvirus software and then don't use it for anything else. If you don't have a old computer then add a seperate hard drive to your existing computer and only connect it when you need to do your banking. It's a bit of a pain in the a** but not as much as trying to get your money back once someone cleans out your bank account or worse steals your identity

amstech amstech, TechSpot Enthusiast, said:

All software can be compromised, one way or another.

Guest said:

Unfortunately, using a token or fob will not work against man-in-the-browser.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.