You may have heard of Man in the Middle (MitM) and Man in the Browser (MitB) attacks.
When it comes to the cybersecurity of your business, these attacks, although they have been around for a long time, are one of the threats that you should be aware of.
In this article, we’ll explain how MitM and MitB attacks work, as well as how you can defend against them. We will also provide examples of both attacks.
What is a Man in the Middle (MitM) Attack?
The man-in-the-middle attack is a method of espionage in which the attacker places himself between a user and the application with which they are communicating.
In some cases, they may simply listen in on communications, although they may choose to impersonate the app without the victim realizing that they are not communicating with the real app.
But in all cases, the end goal is the same: to steal personal information, be it passwords, financial information, or other sensitive material.
Man-in-the-middle (MitM) attacks are widespread; some estimates believe that a third of all attacks use MitM attacks to steal sensitive information.
The attacker must remain invisible to the victim for a MitM attack to be successful.
While this may sound complicated, hackers have become adept at exploiting flaws and backdoors in network and Internet technologies, creating identical fake versions of the applications they target.
Public Wi-Fi networks are more likely to be used during a man-in-the-middle attack because they are generally less secure than private Internet connections.
Criminals get in the way by compromising the Internet router and scanning for unpatched flaws or other vulnerabilities. The next step is to intercept and decrypt the data transmitted by the victim using various techniques.
Most susceptible to a man-in-the-middle attack are financial sites, other sites that require a login, and any connection intended to be protected by a public or private key.
What is a Man in the Browser Attack (MitB)?
On the other hand, one of the biggest differences between a MitM attack and a MitB attack is that the latter takes place at the application layer (intercepting and altering browser content) rather than at the network layer (intercepting and modifying data packets in transit).
That means the attack can be successful regardless of whether the site you’re viewing is protected with SSL (HTTPS) or not.
The first step in performing a MitB attack is to infect the target computer with malware. The target computer must be pre-infected with malware before the MitB attack can be carried out. Usually, it will be a Trojan horse.
Once the target system has been successfully infected, the Trojan will modify the user’s browser, typically in two ways:
Running a malicious script that configures the victim’s web browser to use a proxy server controlled by the attacker.
Installing a compromised web browser extension controlled by the attacker.
In either case, this provides the attacker with the ability to view the messages sent and received by the infected browser and modify them.
The user will not receive any indication that something is wrong. The URL at the top of the browser will be correct, so inspecting it will not prevent the attack, and if enabled, the browser’s “malicious site” warnings will not be triggered.
The web page will appear completely legitimate even though the attacker has tampered with it.
Real-Life Examples of Man in the Middle (MitM) vs. Man in the Browser (MitB) Attacks
| Examples of Man in the Middle Attacks | Examples of Man in the Browser Attacks |
| Marconi Case – The first recorded man-in-the-middle attack in history took place long before the Internet was invented and involves Guglielmo Marconi, a Nobel Prize winner considered the radio inventor. | Clampi – It was designed to collect and transmit personal information, more precisely, banking information, from the victim’s computer to a server controlled by the attacker. |
| Belkin – In 2003, a Belkin wireless network router perpetrated a non-cryptographic attack. Periodically, it would take over the HTTP connection being routed through it, pass no traffic to the destination, and respond as the intended server. | Carberp – First discovered in 2009, the Carberp Trojan was designed to target Facebook. Carberp can check the status of your Internet connection, connect to remote sites over the Internet, download other malware, and execute files. |
| Lenovo Incident – Its endpoints had pre-installed software called Superfish Visual Search that made it easy to place ads even on encrypted pages. The software could be removed by Windows Defender. | Zeus – Its goal is to collect financial information through keylogging and form capture. By 2009, Zeus was found to have infected organizations including Bank of America, Amazon, NASA, and Oracle. |
How to Detect and Prevent Man in the Middle Attacks?
Detecting a man-in-the-middle attack can help a business or individual mitigate the potential risk that a cybercriminal may cause.
Here are some methods to detect them:
- Scan for strange web addresses: Have your team monitor their web browsers for strange web addresses in the search bar or URL bar. DNS hijacking can create common address spoofing, typically through changes that often go unnoticed.
- Unexpected disconnections and network delays: Some types of man-in-the-middle attacks can cause sudden and unexpected network delays or even complete disconnections. This can happen sporadically and is usually not accompanied by network problems or other obvious symptoms.
- Monitor public Wi-Fi networks: Attackers often intercept information sent on public networks or even create fake networks in public places. These networks allow cybercriminals to see all the web activity on your computer without you even knowing that you are being attacked.
Despite the endless ways these attacks can play out, there are only a few things that get exploited over and over again. To protect against MitM attacks, there are two key requirements:
- Non-repudiation: The message comes from the person or device it says it came from.
- Message integrity: the message has not been modified since it left the sender’s control
Note that the word “message” is used generically to refer to many concepts, such as entire emails or data packets that are at the bottom of the stack.
The same concepts apply regardless of data type.
How to Detect and Prevent Man in the Browser Attacks?
One of the nastiest aspects of a Man in the Browser attack is that it is nearly impossible to detect. When you’re the victim of a MitB attack, there are no new processes to detect and no fancy URLs to inspect. Everything seems to be as it should be.
However, there are still some subtle gifts that can sound the alarm. These hints are not unique to MitB attacks and could be a symptom of something else.
Either way, the following are worth keeping an eye out for.
- Observe additional or missing elements on the web page.
- You receive a login notification from a device you don’t recognize.
- Suddenly you are logged out of your account.
- Your antivirus detects malware on your computer.
In common phishing attacks, attackers redirect users to a website that resembles the original site and trick users into submitting their information.
Here, users still have a chance to detect fraud, since the domain name will be different. But in man-in-the-browser attacks, users only visit the original website. They have no reason to suspect and detect the attack.
Although the Trojans used for man-in-the-browser attacks are evolving every day, you can prevent them by being vigilant and using some technological tools.
Here are three technologies or processes you can implement to prevent MitB attacks:
- Out-of-band authentication – In this method, the browser is not used for two-factor or sometimes multi-factor authorization (MFA). Instead, the SMS function of a mobile phone or an automated phone call is used to deliver the one-time password (OTP) or secret pin.The SMS or phone call contains all the information about the transaction together with the OPT. But the user should be attentive and check all the information received in the SMS / phone call before sending the OTP to the browser. However, you cannot trust this method 100% because Trojans like Zeus can damage mobile phones and intercept all incoming SMS messages as well.
- Manually checking your program files – Some of the common man in the browser Trojans have a similar storage pattern. Be sure to periodically check the following folders:C:/Program File
C:/Program Files (x86)
C:/Windows/TempIf you detect any new rogue software, scan it with anti-malware software and search the Internet for more information about it. If you find anything suspicious, remove the unknown software. - Use security software – Antivirus software can detect and remove some man-in-the-browser Trojans.
Regularly scan your devices with antivirus software. Some antivirus also shows the security dialog if they find something suspicious is downloaded from the internet. However, antivirus software cannot prevent all of the latest Trojans.
Some browser security software is also available. These five solutions claim to prevent MitB attacks: Mimecast, BullGuard, IBM Trusteer Rapport, Entrust, and CodeSealers.