Man-in-the-browser attacks: reducing risk against alien body snatchers

“MITB attacks are more menacing in that instead of just taking over a user's credentials, they take over the user's device.”
-Seth Geftic

Roger from San Jose, California, writes: I have recently read about the growth of man-in-the-browser attacks and have a few concerns. What should I be doing to spot the symptoms of an attack? Also, in considering a solution to reduce my risk, what are some of the things I should be aware of?

Answer

A man-in-the-browser (MITB) Trojan is designed to intercept data as it passes over a secure communication between a user and an online application. A Trojan embeds in a user's browser application and can be programmed to trigger when a user accesses specific online sites, mainly an online banking site. Once activated, a man-in-the-browser Trojan can intercept and manipulate any information a user submits online in near real-time. A number of Trojan families are being used to conduct MITB attacks including Zeus, Adrenaline, Sinowal, and Silent Banker.

MITB Trojans are very advanced, programmed with functionality to fully automate the process from infection to cash out of bank accounts. Some versions of the Zeus Trojan, for example, come with built-in mule management tools. Each time an MITB transaction is attempted through a Zeus-infected machine, the Trojan reaches out to the mule management tool and pulls the next record of a mule account that is available to accept the stolen funds.

While there are several advanced threats that attempt to hijack a user's account, MITB attacks are more menacing in that instead of just taking over a user's credentials, they take over the user's device. This gives them the capacity to mimic the user's credentials as well as any other information, like requested one-time-passwords, entered in the browser. MITB Trojans also appear to be coming from the user's machine, allowing them to thwart many safety mechanisms such as verifying the IP address where the transaction originated.

You could think of MITB Trojans as the virtual version of the characters from Invasion of the Body Snatchers. They claim to be a real person, sound like a real person, look like a real person and even dress like a real person. But, they are not a real person. As a viewer, it is hard to tell the difference between the human and the alien body snatcher on the surface. But when you look closer, you can tell there is just something a bit 'off' about them. Perhaps the words they speak don't make sense, they move a little stiffly, or lack human emotion. Either way, you can tell that despite appearing to be the same on the outside, what you are looking at is actually an impersonator. Hence, we turn to the importance of behavioral analysis.

Today, financial institutions are struggling with how to address MITB attacks. Think of it in terms of behavioral analysis - if you can spot an alien body snatcher by his behavior, apply that same intelligence to identifying an MITB attack.

Behavioral analysis is a key technique being used to manage risk against MITB Trojans.  Behavioral analysis helps determine a user's normal patterns of behavior in order to detect anything that seems out-of-the-ordinary. At a high-level, it is asking, 'Is this behavior typical for the user?' More advanced behavioral analysis methods go one step further and ask, 'Is this behavior typical for the user or is it behavior indicative of a Trojan?' To think of it in another way, instead of only authenticating a user's credentials, you are also authenticating a user's behavior. 

A weakness among many financial institutions is that they fail to consider the complete picture of a financial transaction. Logins are protected with strong authentication, but once the door is unlocked, cybercriminals are provided with a pass to inflict as much damage as they want, including draining an account. The activity that takes place once inside the account is what poses the most risk and requires more scrutiny. 

Transaction protection refers to the ability to monitor user activity post-login. While it can be done at the login stage, the types of data that can be analyzed at the transactional level are more robust and will help paint a much broader picture of the user. Something as simple as making updates to the account profile, such as changing the contact phone number on record, can be risky.

So what constitutes unusual behavior? There are several ways to answer that question. First, there are universal indicators that hold true for the majority of users. For example, it would be unusual for anyone who is a customer of a U.S bank living in Michigan to suddenly login to their account from Russia. This is likely a universal rule among online banking customers across nearly all financial institutions. 

Second, there are behavioral indicators that are specific to each individual. For example, one customer may be a frequent user of online banking and transfer large sums of money on a regular basis. Therefore for this user, initiating several large payments over the course of a few days may not be suspicious. However, for another user that typically logs in to his account once a week to pay household bills, this sudden account activity would be highly suspicious. 

Finally, there are certain types of behavior that might appear to be the real user, but are actual indicators that the session has been hijacked by a Trojan. For example, an MITB Trojan can use HTML injection to introduce additional fields into a user's session. With advanced behavioral analysis, this type of activity will immediately raise a red flag that something is amiss. The ability to apply this type of intelligence to transaction monitoring technology is critical to preventing advanced attacks.

Some behavioral patterns can be viewed in real-time, in which case a decision has to be made about how to address high-risk transactions. Do you challenge the user visibly or do you delay and investigate? In this case, there are two primary schools of thought. Some financial institutions choose to initiate a visible challenge in an attempt to get the user to confirm their identity (or intention to conduct a transaction) via step-up authentication. Others choose to automate their security decisions through invisible monitoring and allow high-risk transactions to be sent to a team of fraud analysts for further investigation.

The ability to investigate potential fraud cases effectively relies on several factors. The most obvious perhaps is that a team of fraud experts needs to be employed by the financial institution. Having a fraud analyst team is fairly common in the industry, but the size and expertise of these teams vary significantly. Those with larger teams are more likely to filter cases to fraud analysts to investigate. Those with fewer resources at their disposal might be inclined to mitigate in real-time in order to manage volume. Either way, using a risk-based approach to filter between those cases that are high-risk vs. those that are not is critical. Too many flagged cases (fueled by false positives) increase the likelihood that an analyst will not be able to investigate all the cases generated or be more prone to error.

Again, this is where advanced behavioral analysis can help. Not only will it help determine when a case should be generated, it can determine the associated risk so that analysts can focus on the most pressing cases first. A second factor to consider is the length of time before financial damage actually occurs. This is especially important when considering the push for near real-time money transfers. And finally, it can aid in the decision to select the type of step-up authentication challenge to present to the user.   

Building behavioral analysis capabilities into transaction monitoring technology is necessary to defend against advanced threats and enables adaptation to new threats over time. So even if a cybercriminal is able to steal users' credentials, take over their device and circumvent login authentication, there is still another invisible layer of defense that is very difficult to get around. A Trojan, no matter how sophisticated, is not able to imitate each user's unique behavior. Just like with the alien body snatchers, behavioral analysis will be there to spot the imposters.

Biography

Seth Geftic is Senior Manager, Identity Protection and Verification at RSA, The Security Division of EMC. He is responsible for managing multiple technologies and initiatives that protect organizations against fraud and advanced threats.