Proceedings of the 7th Australian Information Security Management Conference
A Review of Browser Extensions, a Man-in-the-Browser Phishing Techniques Targeting Bank Customers
Nattakant Utakrit School of Computer and Security Science Edith Cowan University
Initially, online scammers (phishers) used social engineering techniques to send emails to solicit personal information from customer in order to steal money from their Internet banking account. Data, such as passwords or bank account details, could be further used for other criminal activities. For instance, the scammers may intend to leave the victim’s information behind after they have successfully committed the crime so that the police can suspect the visible evidence as a suspicious criminal. Many customers are now aware of the need to protect their banking details from the phishers by not providing any sensitive information. Recently, phishing attacks have become more sophisticated and targeted to the online banking users. Hence, this paper reviews one form of a current type of phishing attack known as a ‘man-in-the- browser’. It specifically focuses on the use of browser extensions, including their operational strategies. Techniques to identify, minimize, and prevent this type of attack are considered. Lastly, the author provides specific advice for the bank customers based on her research interests and experience in online banking security.
Keywords Phishing, man-in-the-browser, Trojan, add-ons, plugins, browser extensions
INTRODUCTION Phishing has been first introduced as a use of social engineering technique in which potential victims are convinced to provide their confidential information, such as usernames, passwords, and bank account details, to a return email. The attack is often extended by creating fraudulent web pages to persuade customers to believe that they are on the legitimate banking sites. Once an identity has been submitted through the form provided, the information is been sent to the phisher. There are some other spying techniques that are used to track the user’s banking information claimed by Ståhlberg (2007), such as screenshot and video capture, code injection of fraudulent pages or form fields, redirecting website, and keystroke logging. Sometimes, obtaining user’s information can be combined with multiple penetrating techniques; for example, using the screenshot and video capture to monitor the user’s activity and using the keystroke logging to record passwords or information. Subsequently, a newer and more dangerous facet to phishing technology such as a Trojan horse has been released. It operates by becoming embedded in a user’s Internet browser and later steals confidential information and sends it back to the scammer. The Trojan horse is known in an attack form of ‘man-in-the-browser’.
MAN IN THE BROWSER VS MAN IN THE MIDDLE ATTACKS Theoretically, man in the browser (MitB) and man in the middle (MitM) attacks are similar in terms of controlling dataflow between the client and the host computer. However, a man in the middle uses a proxy server that relays traffic and takes place at the application layer between the customer’s webpage and the legitimate online banking system (Litan & Allan, 2006) which runs on the traffic stream (RSA, 2008). Conversely, a man in the browser operates on an Internet browser that displays on a user’s desktop and controls ingoing and outgoing contents at the system level not on the authentication level on a customer’s computer screen.
How does man-in-the-browser operate? Man in the browser is also called a proxy Trojan or a password pinching Trojan (Leyden, 2008). It combines the use of phishing approaches with a Trojan horse technology, inserted into a customer’s browser, to modify, capture, and/or insert an additional information on web pages without the customer’s and the host’s knowledge (Gühring, 2006; Litan & Allan, 2006; Ståhlberg, 2007).
110| P a g e