Windows administrators at companies that conduct financial transactions online should be wary of a relatively new
threat called "man-in-the-browser" attacks.
Third-party transaction authentication tools and client-side certifications are ways that IT managers can ward off these types of insidious attacks.
Man-in-the-browser attacks are a twist on a familiar threat called "man-in-the-middle attacks," in which a hacker is able to read and modify online messages between two parties without either party knowing.
With man-in-the-browser attacks, the idea of stealthily modifying or capturing data between parties is similar, but the difference is that as a financial transaction happens, the data can be stolen or changed.
Man-in-the-browser attacks are more sinister than man-in-the-middle attacks because they use Trojan Horses that invisibly install themselves on users' systems through a Web browser. The attacks modify users' financial transactions when they visit a legitimate Web site, such as their personal online banking accounts.
This differs slightly from man-in-the middle attacks, also known as phishing attacks, which can hijack information from email or IM communications to create email that lure users to seemingly legitimate Web sites where it then launches a Trojan Horse into the user's network.
The Trojan Horses are disguised as Web browser helper objects or browser extensions and hijack data during online transactions, according to Chenxi Wang, an analyst with Forrester Research Inc., based in Cambridge, Mass. Financial transactions can be modified on the fly as they are formed in browsers and still display the user's intended transaction.
Depending on how it is configured, a man-in-the-browser attack might steal bank account numbers or personal information such as social security numbers or account logons and passwords.
Man-in-the-browser attacks first acknowledged in 2006
Security expert Phillip Guhring first wrote about man-in-the-browser attacks in 2006, noting that they were mostly seen on Microsoft Windows systems using Firefox and Internet Explorer browsers. The attacks are prevalent in Windows shops because Microsoft browsers are popular, not because they're more vulnerable, Wang said.
Man-in-the-browser attacks are dangerous because they can bypass public key infrastructure encryption and client-side certificates protection, Wang said. Because hackers are increasingly targeting financial crimes, man-in-the-browser threats will likely grow over the next 18 months, she said.
The good news is there are short-term steps IT administrators can take right away to protect their networks, Wang said.
Installing strong Web filters can help
Hardening browsers by banning dynamically linked libraries or helper objects, installing strong Web filters and using a second method of transaction verification, such as cell phone contact, are all recommended, she said. Although short-term steps are helpful, third-party transaction authentication is the best long-term protection.
Users can enter data into a separate device from their computers, insulating it from Trojan Horse attacks. An authenticity "tag" is then generated in a message authentication code or a digital signature, Wang said. The user enters the transaction data and authenticity tag into the browser to start the transaction, she said.
MAC-generating tokens, smart cards or signature-able appliances technology as well as client-side certifications with two-way Secure Socket Layer authentication are some of the ways IT managers can ward off attacks.
Maintain up-to-date patches and anti-malware protection
IT managers can help protect against these exploits by keeping patches and anti-malware protection up to date, said Gerhard Eschelbeck, chief technological officer and senior vice president of engineering at Webroot Software Inc., a Boulder, Colo.-based developer of Internet security products.
"It's essential to keep these systems safe because once they are compromised, customers are not going to have any trust," he said.
But Wang said she believes eventually IT managers won't have a choice because short-term steps won't be enough protection. "Transaction fraud will not go away," she said. "In the long run, we anticipate that all Internet businesses will employ some form of transaction verification."