Man-in-the-browser

The MitB threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds." The name "man-in-the-browser" was coined by Philipp Gühring on 27 January 2007. Antivirus software can detect some of these methods. In a nutshell example exchange between user and host, such as an Internet banking funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. ==Examples==

Examples of MitB threats on different operating systems and web browsers: ==Protection==

===Antivirus=== Known Trojans may be detected, blocked, and removed by antivirus software. Further protection can be achieved by running this alternative OS, like Linux, from a non-installed live CD, or Live USB. • Secure Web Browser: Several vendors can now provide a two-factor security solution where a Secure Web Browser is part of the solution. In this case, MitB attacks are avoided, as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine. Out-of-band transaction verification A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example, an automated telephone call, SMS, or a dedicated mobile app with graphical cryptogram. OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g. landline, mobile phone, etc.) and requires no additional hardware devices, yet enables three-factor authentication (using voice biometrics), transaction signing (to non-repudiation level), and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps. Man-in-the-Mobile Mobile phone mobile Trojan spyware man-in-the-mobile (MitMo) can defeat OOB SMS transaction verification. ZitMo may be detected by Antivirus running on the mobile device. • SpitMo (SpyEye-In-The-Mobile, SPITMO) is similar to ZitMo. Web fraud detection Web fraud detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions. ==Related attacks==

Proxy trojans Keyloggers are the most primitive form of proxy trojans, followed by browser-session recorders that capture more data, and lastly MitBs are the most sophisticated type. Clickjacking Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage. ==See also==