'Man in the Browser' malware defeats banks' two-step online authentication

Shawn Knight

Shawn Knight

Posts: 15,294   +192
Staff member

A new breed of malware called a Man in the Browser (MitB) attack can successfully bypass a bank’s two-step online authentication process. In most cases, the victim isn't even aware their account has been compromised until it's too late.

Once the malicious code finds its way to your computer, it lays dormant until the user navigates to a specific website – a secure bank. During the typical log in process, the malware is activated and acts as a middleman between the user and the bank’s website. Most variants will ask the victim to reenter their credentials as part of an “enhanced security measure.” If the victim falls for this prompt, the attacker then has full access to the bank account.

Once inside, the attacker can perform a number of dastardly deeds such as spoofing balances, changing payment details and even hiding records of money transfers.

The BBC points out that even if you have the latest anti-virus software and follow your bank’s official advice, the malicious code could still find its way to your machine. During their own in-house testing, they found that the majority of web security software on standard settings didn’t detect the malware, even when it was activated. Results were much better when products were set to maximum security, but this blocks many legitimate programs as well.

"The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking," said Daniel Brett, of malware testing lab S21sec. "[Although] many products won't pick this up, they've got a much bigger scope; they're having to defend against all the viruses since the beginning of time."

The best defense at this point is to keep your anti-virus up to date and take note of any unusual behavior when logging into your bank account online.

Image courtesy Valerie Potapova / Shutterstock.

Permalink to story.

https://www.techspot.com/news/47351-man-in-the-browser-malware-defeats-banks-two-step-online-authentication.html

 
This and other malware is why I don't do financial transactions online. I would think by now that banks (or someone) would come up with a live boot CD/USB that uses a hardend OS/Application to access the bank. Simply boot off the CD/USB do your transactions and then boot back into your standard OS. I think for most of us that would work as you usually don't have to access the bank on a daily basis.
 
so does this thing track key strokes? I log in w/ on screen key board lol would I be okay??
 
From what I Gather the gist is the malware puts up an extra dialogue and expects you to put in your full memorable phrase in, something your bank would never ask as it defeats the point of having the drop down input.

So if your browser asks you to enter your memorable phrase in plain text you are probably need to not use your computer for online banking
 
Good info - thanks for the heads up. Just passed this article on to all my friends.
 
Xero07 is right on the spot. When an infected computer goes to a website, the malicious code does a quick check to see if it is on a list of know bank sites. If it is, the fun begins.

This stuff is getting very sneaky. The latest versions of these progams will actually add extra fields to the login page making it look like your bank is now asking for additional information. They typically ask for SSN, ATM PIN, and phone number. The look-and-feel of these new questions exactly matches the original prompts. Unsuspecting users will think the bank is just asking for that stuff as added protection.

The greatest problem is that everyone keeps thinking that as long as they have anti-virus installed, nothing bad will happen to them. Anti-virus is very reactive. If a new malicious program comes out, the anti-virus may not recognize it for a long time... long after it has done damage.
 
Why do I think this is made by those people from my bank that call me every other day to offer account protection? No wells fargo I do not want free 3 month account protection!!!!! Iv even cursed at them they won't stop calling I am closing my bank account soon.
 
Where do these guys get this new malware from for testing?
If it's out there & available, surely the anti-virus packages must get updated quick smart!
 
It would have been nice to mention the usual ways the bad code has been recored to enter a system... it doen't just walk on??
 
This and other malware is why I don't do financial transactions online. I would think by now that banks (or someone) would come up with a live boot CD/USB that uses a hardend OS/Application to access the bank. Simply boot off the CD/USB do your transactions and then boot back into your standard OS. I think for most of us that would work as you usually don't have to access the bank on a daily basis.
Click to expand...
o_O
This would cause everyone to stop using their banks from the computer in the first place!
Heck, they would probably abandon banks that did this kind of thing.

It might work for high security places such as military or highly secret corporations, but for consumers... forget it. Not ever going to happen, I will bet.
 
My bank in Australia has a little toggle the size of a USB stick. It runs 6 numbers for a 4 minutes. You have to enter the numbers...the bank on the other end matches the said numbers also in the 4 minutes on your toggle. Then the numbers change. If they match the transaction goes through. The little toggle DOES NOT go into your computer. How the bank knows my toggle number is beyond me....and the crooks.
 
Guest said:
My bank in Australia has a little toggle the size of a USB stick. It runs 6 numbers for a 4 minutes. You have to enter the numbers...the bank on the other end matches the said numbers also in the 4 minutes on your toggle. Then the numbers change. If they match the transaction goes through. The little toggle DOES NOT go into your computer. How the bank knows my toggle number is beyond me....and the crooks.
Click to expand...

Actually sounds similar to how an RSA token works for remote access into your companies systems.
 
The online banking web interface I'm used to never ask my PIN (required for multi-factor auth) and certainly never will. The day it does ask my PIN I'll probably freak out and restore a clean backup.
 
Just 2 days back I cleaned my laptop which had Zeus / ZBot, one of the first financial malwares. Normal antivirus programs dont even detect them. The malware actually blocked opening websites like malwarebytes.org which can clean them. I had to download it another pc and transfer it using USB stick and then clean it up.

I changed the passwords for all my onine accounts including email accounts, deactivated my transaction grid and requested for new ones, rechecked my contact details in every account... the weekend was hectic. And I poured over the internet content on how to do safe online banking. The tips I found.

1. Dont do casual browsing & online banking on the same pc/laptop. In the least use use sandbox software like sandboxie for casual browsing.
2. If you have only one PC, use a linux based live cd to do online banking. This is by far the safest method.
3. Zeus, spyeye etc are hard to detect (statistics is only 23% infections are detected) can even modify your account statements, transactions, balances etc on the fly in your web browser so that it takes a long time before you realize that you have been robbed. So always opt for a hard/soft copy of the statement from your bank and reconcile your statements once or twice a month.
 
I find the best way to keep yourself secure is to use a old laptop or computer ONLY for online banking. Reformat it, install your anitvirus software and then don't use it for anything else. If you don't have a old computer then add a seperate hard drive to your existing computer and only connect it when you need to do your banking. It's a bit of a pain in the a** but not as much as trying to get your money back once someone cleans out your bank account or worse steals your identity
 
Unfortunately, using a token or fob will not work against man-in-the-browser.
 
You must log in or register to reply here.

Similar threads

midian182
Largest bank in Ethiopia hit by IT glitch that allowed customers to withdraw over $40...
Replies
15
Views
242
kiwigraeme
K
D
Google Chrome gets real-time phishing and malware protection with upgraded Safe Browsing...
Replies
7
Views
259
Evrsr
E
Daniel Sims
Researchers crack Windows Hello fingerprint authentication
Replies
4
Views
271
RaXelliX
R

Latest posts

Back