Proceedings of the 7th Australian Information Security Management Conference
Figure 1- Man-in-the-browser operation
Figure 1 illustrates the process of man-in-the-browser attack. When the Trojan infects the user’s computer application or the operating system, it will install an extension program into the browser and wait to be launched next time the browser starts. Whenever the web page is loaded, the Trojan will filter the page based on the list of the targeted sites. If the site is matched with the pattern, the Trojan extension will wait until the user logs in into their bank and starts to transfer the money. When submit button is pressed, the extension will extract data from all fields and modify the value, such as the amount of money and the destination receiver, through the document object model (DOM) interface and resubmit the form to the server. At this stage, the server will not be able to identify whether the values are from the original one or not. Thus, it still performs the normal transaction and generates a receipt back to the Trojan extension, and then the Trojan re- modifies the intended value to display on the user’s browser.
In addition, a Trojan can assemble in the Firefox’s extension folder or Internet Explorer’s extension and activate every time the filtered browser is started (Leyden, 2008). There are various ways that Trojans can be embedded into a customer’s computer; for instance, when he or she is viewing an infected email, opening an email attachment, visiting and/or downloading a file from an unsecured website, or even visiting a legitimate website which has been infected with a Trojan (Cronto, 2008). It begins with the establishment of the Trojan application on the hard drive of a user’s computer, purposes of injecting itself into a customer’s browser. Once the browser is injected, the Trojan malware will wait for the customer to log into their banking website and silently steal money from the customer’s account (Ilett, 2006).
How is money stolen? The Trojan malware will monitor the user’s activity on the system and look for data exchanged between a compromised machine and a list of pre-programmed banking sites (Leyden, 2008), then operate its functions when a list of filter strings, which are used to focus on a specific website, is detected (Ståhlberg, 2007). Filter strings can be a URL address and/or a dialogue string such as ‘Welcome to the Bank’. The Trojan filter string, such as SilentBanker, is able to mount attacks on over 400 different bank websites worldwide without being detected by two-factor authentication (Cronto, 2008), and the Trojans Bancos.NL have detected 2,764 different bank URLs from over 100 countries (Ståhlberg, 2007).
Browser extension definitions and explosion points The definitions of the browser extension and its associated features may be defined in various ways. The extension is a small application that provides the additional features to the browsers (Blum & LeBlanc, 2009) and different from an add-on or a plugin (Croll & Power, 2009). The browser extension can be extended into four types covered add-ons, plugins, browser helper objects (BHOs), and unplugs. Vugt (2009, p. 80) explained that the “Add-on is a catch-all term that includes extensions”. Pogue (2004, p. 330) added that “An add-on can be any bit of software that beefs up the Web browser.” The add-ons are included with alternative themes, and additional language supports. Add-ons affect web pages displayed and how a page is loaded. The add-on applications such as the Video DonwloadHelper captures a video file and saves into a disk, and the Adlock Plus application which can help the users block the advertisements (Vugt, 2009). More example of the add-ons application can be the Greasemonkey (Croll & Power, 2009), ActiveX Controls and the Google toolbar.
Plugins are the unlimited access standalone software which can play an audio file, a show video, or display a document on them. The examples include Java, QuickTime, Windows Media Player, Flash (Croll & Power, 2009), and Adobe Acrobat in which the acrobat can allow the users to read the content of PDF files directly from the browsers (Vugt, 2009).
Browser helper objects (BHOs) are developed by Microsoft Company. They are the browser extensions in-process the component object model (COM) server that the Internet Explorer loaded when it starts up. In other words, BHOs are dynamically loaded libraries (DLL) that run in the address space of the browser and embed the main window of the
111| P a g e