Man in the browser attack mitigation

time to read: 8 min

Table of Contents

Malware such as Neverquest, Zeus, or GameOver Zeus is getting more aggressive daily, and the stealthy way it steals money makes it even more dangerous. 

The methods used by Neverquest and similar MITB (man-in-the-browser) attacks are described in the following video:

And at the next Wikipedia page: http://en.wikipedia.org/wiki/Man-in-the-browser

By obtaining complete control over the client’s computer, hackers can circumvent any protection, including hardware tokens with a changing code. The latter would significantly impede their task comparable to other temporary regulations (not expiring), but not enough to deem this measure sufficient. The worst part is any dialog or input box looks like a part of your website, even on SSL with an EV certificate! All modifications happen to the HTML in the browser, where your organization no longer has control.

Man-in-the-Browser attacks have dramatically changed how online banking is done – this change applies to all banks and financial institutions globally. Usernames, passwords, and temporary codes are no longer efficient protection in the presence of multiple viruses able to circumvent and intercept them.

The most effective measure against this attack is a secure computer – and since most of your clients can not afford the time and costs of training to configure a fast computer, you must offer them other options if you want them to stay with you in the long run, rather than going to a competitor (who does not necessarily have better protection for them, but they don’t know it, do they).

The essence of this attack makes it look as if your website is compromised and your organization’s security is lacking. This is a severe reputation issue where your clients lose faith in you, and there is nothing you can do to counter their opinion other than customer education.

One of your primary tasks is not only to protect them but to show how the same attack happens to even the largest banks worldwide, so they can realize that switching to online banking at another bank will not make them safer unless they can ensure the security of the computer from which they perform their online banking. They could switch banks every day – and get compromised every day – as long as the malware is still on their system, stealing credentials and sending them to their masters.

The security of their computer and the risks for all types of payments while the computer is infected is the focus you should have.

Action Plan

Customer education and awareness come first: your customers should realize that the responsibility for the security of their computer is theirs, just like the security of their money in their own homes (or wallet). You, in turn, have a much larger arsenal of knowledge and experience in information security and are the ones who have a responsibility to share them in the right way and using the proper channels, clearly and frequently enough.

You will need the active involvement of your marketing department in this task because of their close relationship with the customers and their good communication skills, translating IT jargon into understandable language for your clients.

Any financial institution has to undergo a severe transformation before significant security measures are applied to its online payment processing systems, such as e-banking. During this period, which usually is between 3 to 6 months or even more (depending on the quality of your team and the funding available), your organization will need temporary ‘patches’ which will still allow payments to go through while the risk of fraud should be lessened as much as possible.

In the case of malware hitting your customers and you having no actionable technical measures to implement to mitigate that risk, the only thing left is educating your customers on taking their security into their own hands (as it should be because their computer security results in their transactions with any financial institution being secure as well).

Change, upgrade, and improve the methods of communication with your customers.

Banks and Social Networking are something that just does not mix up – even for their marketing teams. If your organization is the same, don’t be ashamed; accept the guilt and improve yourself. Your customers have to get used to the thought that whatever their question is, your Twitter, Facebook, and LinkedIn accounts are always responsive and ready to step in and assist.

Get to your management and the marketing management, and start pushing them to improve their processes. Relying on e-mail is so 1990, people! Finally, there’s Aweber and Mailchimp for those who still rely on e-mail. Do it right. In a crisis, your methods of communication have to be already practiced and proven effective. Sometimes you will have just minutes to inform all your customers of an impending change, not days or weeks, and social networking and e-mail marketing services can do wonders for that.

Have a structured and consistent approach to the education of your clients.

Implement a plan for creating security awareness, which would consistently and consequentially explain their challenge – it cannot be done with one gigantic mail; they simply will not read it. If you have to, print brochures and send them out – use every communication channel to inform them about the current virus outbreak. Do not make the mistake of telling them your online banking is at risk – just tell them that the online banking of institutions across the globe is at stake because it’s a global problem for every organization – which it is.

Instead of showing panic and haste to save your clients from the risk of banking with you, try turning the tables in your favor and rather be the bearer of good news – that no matter the global hacking attacks against all banks, you will step up and show your clients the way out with your outstanding technical knowledge and advice – for free, so they would safely bank with any organization they want. Thanking you, they’ll bank with you – because you were the only one to show care and understanding of the problem while everyone else was hiding and seeking with the hackers, burying their heads in the sand.

One significant strategy inefficiency many organizations face is sending out technical messages to their clients without realizing that these messages are received primarily by non-tech personnel, such as accountants – they usually ignore technical advice automatically. Help them by placing a little note saying this advice is for their system administrators or tech support company – they will pass the message along, and you will not have written it in vain.

Technical changes for your e-banking system

Usernames and passwords, along with TANs, are outdated and inadequate compared to modern technical protection measures – and still, many organizations choose to use them and hope someone else will get attacked in the sea of banks out there.

hardware token

 

You can only implement a hardware token, generating a new code every 30 seconds. A different protection method would be a hardware token that accepts transaction details as input and outputs a unique 6-8 digit code, eliminating the risk of a Man-in-the-browser attack. Still, it would significantly inconvenience your customers, eventually causing more damage than not having it at all.

Another defense that would do the job is the technology of http://www.ca.com/~/media/Files/whitepapers/protection-from-mitm-mitb-attacks-wp.pdf.

Whichever token you choose, remember: it will not protect your customers from malware. You absolutely must remember that! Viruses will ask your customers to enter unique token numbers/combinations in fake pages on their mobiles (smartphones get infected, too). Generally, the times when the pass gives enough security are gone.

Hardened Browsers

A few companies are doing that; the one I recommend is ProMon. While reviewing dozens and dozens of solutions and vendors out there, they are the ones who provide the highest level of protection against financial malware. You can go ahead and infect a virtual machine, install their browser, visit a test e-banking account (a test account, not yours!) – or an account with no money on it – the malware will not be able to inject ANYTHING – and any software keyloggers you might have had will be useless to the attackers. Unfortunately, end-users cannot buy this, but you, as the financial organization, can, and … well, you should. Because out of the dozens of other massive vendors with humongous pricing and doubtful performance, solutions that you will have to implement for months and months – this one is QUICK to implement and is effective. At least it would be best if you gave it a test spin.

Content Security Policy

Most web developers have never heard of this; if yours have not, you can excuse them. People don’t usually need to implement Content Security Policy until required; one of these cases is when a banking trojan attacks your clients. As one of the few measures you can implement on your side, on the web server, it will be a shame if you don’t.

Since the instructions for the browser to trust only your code is delivered in a way that is still modifiable by the attacker, CSP is not a silver bullet – but it will buy you time until they can figure out what tools you’re using to counter their attack. As with any technical measure, it can be bypassed if not implemented correctly.

Being a measure that is quick to implement – do it now; remember that it’s just an additional layer of protection that will be peeled off sooner or later.

Remember that if your website uses a lot of javascript, you may run into serious usability problems – CSP breaks all inline JS, and it will take a lot of time to migrate it to external files. Things like sharing buttons, Google Analytics, and similar services might also stop working for you.

OOB confirmation

When an attacker fully controls your client’s computer, you have no choice but to choose a different communication path with them to confirm and verify transactions. Unfortunately, malware writers upgraded their toolsets long ago. They are already using man-in-the-mobile attacks to intercept SMS messages… but that’s a different story for a follow-up post.

Let’s get back to the  Out of band confirmation. You could send proofs for every transaction over a specific limit – say, $100 or $500, depending on the client and the bank – so the client may react quickly and get their money back even if they get stolen. This method is very effective but slightly annoying for accountants, who send transactions every few minutes. You should provide an opt-out mechanism and alternative notification methods (account page, e-mail, mobile app, etc.) to confirm client transactions.

You could also run an automated telephone system, calling your clients and telling them of impending transaction details and requiring them to press 1 to confirm or 2 to refuse a transaction – just an idea. It would be much more expensive than an SMS system and annoying.

OOB + OTP

Send an SMS containing the transaction amount + a code based on it (e.g., “You initiated a transaction of 10 000 EUR. To confirm, enter code 357 378 ZZ”) is the most effective solution for the moment.
An example of such a decision is http://www.safenet-inc.com/data-protection/financial-data-security/online-banking-security/financial-fraud-prevention-man-in-the-browser-attacks/

ModSecurity WAF helps mitigate the man-in-the-browser attack (to some degree)

As described at http://blog.spiderlabs.com/2013/07/modsecurity-advanced-topic-of-the-week-detecting-banking-trojan-page-modifications.html,, you can configure your web server with ModSecurity to ensure the integrity of the web pages served at your client’s browsers. As the article says, you can’t rely on it 100% – but you can use it for fraud detection if the attackers decide to strip your verification measures. Measures signatures are missing – you have a fraud alert!

Technical measures applicable to your customers

  • Not all protection measures are suitable for all customers. One method which is 100% effective for those with more powerful computers is Sirrix – http://www.sirrix.com/content/pages/bitBox_requirementstoinstall.htm. This browser is exported from a VirtualBox virtual machine into the Windows desktop. Try exploiting that, Mr. Hacker.
  • For those with slower computers, I recommend a solution that is not as secure but a bit easier to install and user-friendly: BitDefender Safepayhttp://www.bitdefender.com/solutions/safepay.html.
  • Yet another relatively secure way to do online banking – albeit not practical and rarely ever used by real people who are not complete computer nerds, is a separate, “clean” computer exclusively for online banking (or a virtual machine, but did we already exclude the computer nerds?).
  • A hardened browser on a flash drive – this measure can accomplish good results in some cases. Given the rapid reaction of hackers to mitigation measures, this protection method can not be considered 100% effective, as most others suggested here.
  • Anti-virus system based on Behavior Analysis. Many of your e-banking clients will not have *ANY* antivirus – what about an advanced one? AV vendors rely on signatures – only a few, such as Webroot, rely on behavior analysis; it would be best if you tried it because a signature-based AV cannot detect new, unknown viruses and malware. The existence of an antivirus system does not guarantee protection – the success rate for catching a virus of this kind is not more than 23%.

Detection of Fraudulent Transactions

Fraud detection software, especially for banks, is ungodly expensive. A bank can generally afford it, though. But if you can’t – you have to do it manually. A cheap and practical approach is to hire (if you don’t have it) a programmer with a mathematical and statistical + database background who can develop rules to put transactions on a ‘waiting’ list for manual review or immediate cancellation.

For now, the most effective method (and most expensive) is the detection of fraudulent transactions and suspicious behavior by monitoring user behavior in the browser. By analyzing the movements and clicks of mouse or keyboard keystrokes, you can develop automated methods for detecting fraudulent transactions and distinguishing them from normal user behavior. An example of such a solution is http://www.entrust.com/wp-content/uploads/2012/07/DS_EntrustTransactionGuard_web_Feb2014.pdf.