Imperva is warning business continuity managers and organizational IS teams to be aware of a growing attack trend: the Boy-in-the-Browser.
What is Boy-in-the-Browser?
The Boy in the Browser is a sophisticated trojan, a ‘dumbed-down’ version of MitB (Man-in-the-Browser). In essence, a BitB is a less mature version of the MitB trojan, hence the name.
With a BitB, the trojan takes control of the victim’s traffic and re-routes the information through an attacker’s proxy site. It is very difficult to detect since the victim’s address bar continues to present the address of the intended destination. For example, you as an infected victim are surfing to a bank's website, but in fact, that traffic is sent to the attacker. Yet, on your browser, you continue to the bank's normal website.
What is the impact of Boy-in-the-Browser?
Once all traffic is re-routed via the attacker, the attacker can do whatever it wants with that data. For example:
• It can act as a proxy just logging sensitive information before passing the request on to the original destination.
• It can act as an ‘active’ proxy modifying requests (for example, to transfer sum to a different bank account) before passing it on.
• Committing fraud schemes. For example, Imperva has seen a scheme which defrauds Google.
This is a growing, resurging, trend amongst hackers, since, in short, it works. Since these trojans are so quick to evolve, anti-viruses do not always detect variants. More people fall prey to these attacks as they are so difficult to detect. Hackers have realized this and are continuing to release more and more variants of BitBs.
What is the difference between BitB and MitB?
A Man in the Browser intercepts user requests and server responses while ‘sitting’ on the victim’s browser. In effect, it listens directly on that communication. For example, when the victim is authenticated to the bank and requests a transfer from his checking account to savings account. The trojan may modify that request in order to make a transfer from the checking account to an account in the Ukraine.
In the case of a BitB, the trojan redirects the traffic to a 3rd-party site which is an attacker-controlled server. This means that all traffic does not go immediately to the bank, rather it passes through that extra link. Only at that server, can the attacker modify the transaction request before continuing to pass it along to the original destination.
Why are hackers using BitB?
Let’s consider first MitBs – these are a huge deal for enterprises and banks to deal with for the following three reasons:
• Impact user transactions.
• Very difficult to detect. - They last a long time.
Similarly to the MitB, BitB is just as dangerous and just as hard to detect. However, this sort of attack requires much less resources for attackers to execute. There are two main required resources:
1. The trojan code.
2. Attacker-controlled server.
As opposed to MitB, the BitB trojan code is much simpler to write. It is a very short piece of code to redirect the traffic. As for the server, they just require a domain. Today’s automated tools will set up the server within just a couple of clicks. The BitB setup is a no-brainer. However, the MitB code is much more complicated. Consider your banking application. It has tabs for different operations, different options for transactions and in general, quite a complex application. The MitB code needs to be customized for each of these operations in order to hook into each of the application’s feature. The big guns are required to carry out these MitB schemes.
Why do hackers invest in MitB?
Each of these Trojans have the same impact and scare banks and businesses alike. BitB is much easier for an attacker to pull off. However, they are most useful for a one-shot sting operation. Once uncovered, the attacker-controlled server is shut down and business is as usual. On the other hand, MitB attacks are a continuing process much more difficult to fight out once uncovered. In that case there is no single pain-point to bring down.
A more technical overview can be found at Imperva's ADC Advisory page.
•Date: 16th Feb 2011 • Region: World •Type: Article •Topic: Warnings