Also reported by RSA was the fact that financial institutions in Australia, Asia and Latin America are increasingly deploying two-factor authentication for their online banking users and, as a result, have experienced an increasing number of ‘man-in-the-browser’ (MITB) attacks.
RSA reports that it has witnessed a surge in the number of MITB attacks, “especially in geographies where two-factor authentication is densely deployed --- such as the European consumer banking and US corporate banking markets.”
The security firm says a man-in-the-browser attack is designed to intercept and manipulate data as it passes over a secure communication between a user and an online application, and that a Trojan embeds in a user’s browser application and can be programmed to trigger when a user accesses specific online sites, such as an online banking site.
According to RSA, a number of Trojan families are currently being used by fraudsters to conduct MITB attacks including Zeus, Adrenaline, Sinowal, and Silent Banker, and it says some MITB Trojans are so advanced that they have “streamlined the process for committing fraud, programmed with functionality to fully automate the process from infection to cashout.”
RSA warns that what makes MITB attacks difficult to detect from the bank’s server side is that any activity performed “seems as though it is originating from the legitimate user’s web browser.”
“Characteristics such as the Windows language, user agent string, and the IP address will appear the same as the user’s real data. This creates a challenge in distinguishing between genuine and malicious transactions.”
RSA also says that man-in-the-browser as an attack vector has experienced exponential growth in the rate of infection in the last year, and it has witnessed Trojan infections increase tenfold in the last twelve months – findings which it says that are supported by other industry observations and reports.
“This growth is driven in part by the number of ‘drive by download’ infections where vulnerabilities on legitimate websites are exploited by botnets and infection kits to place an iFrame in the breached site,” RSA says.